Click On The Link Below To Purchase A+ Graded Material Instant Download //budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW-CIS562W11E.htm Chapters 7 Through 16 Chapter 7: Current Computer Forensics Tools TRUE/FALSE MULTIPLE CHOICE COMPLETION MATCHING Match each item with a statement below SHORT ANSWER Chapter 8: Macintosh and Linux Boot Processes and File Systems TRUE/FALSE MULTIPLE CHOICE COMPLETION MATCHING Match each item with a statement below SHORT ANSWER Chapter 9: Computer Forensics Analysis and Validation TRUE/FALSE MULTIPLE CHOICE COMPLETION MATCHING Match each item with a statement below SHORT ANSWER Chapter 10: Recovering Graphics Files TRUE/FALSE PTS:
1 REF: 398 PTS: 1 REF: 405 PTS: 1 REF: 405 PTS:
1 REF: 425 PTS: 1 REF: 428 MULTIPLE
CHOICE PTS: 1 REF: 398 PTS: 1 REF: 398 PTS: 1 REF: 398 PTS: 1 REF: 401 PTS: 1 REF: 401 PTS: 1 REF: 404 PTS: 1 REF: 405 PTS: 1 REF: 408 PTS: 1 REF: 414 PTS: 1 REF: 417 PTS: 1 REF: 423 PTS: 1 REF: 423 PTS: 1 REF: 425 PTS: 1 REF: 425 PTS: 1 REF: 426 PTS: 1 REF: 426 PTS: 1 REF: 429 PTS: 1 REF: 430 PTS: 1 REF: 430 PTS: 1 REF: 430 PTS: 1 REF: 430 COMPLETION MATCHING Match each item with a
statement below SHORT ANSWER Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions TRUE/FALSEa.
backup file
c.
image file
b.
firmware
d.
recovery copy
a.
UNIX
c.
Linux
b.
MAC OS X
d.
MS-DOS
a.
rawcp
c.
d2dump
b.
dd
d.
dhex
a.
Validation
c.
Acquisition
b.
Discrimination
d.
Reconstruction
a.
brute-force
c.
birthday
b.
password dictionary
d.
salting
a.
partition-to-partition
c.
disk-to-disk
b.
image-to-partition
d.
image-to-disk
a.
forensic disk copy
c.
budget plan
b.
risk assessment
d.
report
a.
Apple
c.
Commodore
b.
Atari
d.
IBM
a.
Dir
c.
Copy
b.
ls
d.
owner
a.
stationary workstation
c.
lightweight workstation
b.
field workstation
d.
portable workstation
a.
F.R.E.D.
c.
FIRE IDE
b.
SPARC
d.
DiskSpy
a.
Drive-imaging
c.
Workstations
b.
Disk editors
d.
Write-blockers
a.
USB
c.
LCD
b.
IDE
d.
PCMCIA
a.
CFTT
c.
FS-TST
b.
NIST
d.
NSRL
a.
ISO 3657
c.
ISO 5725
b.
ISO 5321
d.
ISO 17025
a.
NSRL
c.
FS-TST
b.
CFTT
d.
PARTAB
a.
MD5
c.
CRC-32
b.
SHA-1
d.
RC4
a.
disk imager
c.
bit-stream copier
b.
write-blocker
d.
disk editor
a.
testing, compressed
c.
testing, pdf
b.
scanning, text
d.
testing, doc
a.
JFIF
f.
PDBlock
b.
Lightweight workstation
g.
Norton DiskEdit
c.
Pagefile.sys
h.
Stationary workstation
d.
Salvaging
i.
SafeBack
e.
Raw data
a.
Phantom
c.
Darwin
b.
Panther
d.
Tiger
a.
resource
c.
blocks
b.
node
d.
inodes
a.
32,768
c.
58,745
b.
45,353
d.
65,535
a.
Master Directory Block (MDB)
c.
Extents Overflow File (EOF)
b.
Volume Control Block (VCB)
d.
Volume Bitmap (VB)
a.
Extents overflow file
c.
Master Directory Block
b.
Volume Bitmap
d.
Volume Control Block
a.
volume information block
c.
catalog
b.
extents overflow file
d.
master directory block
a.
AIX
c.
GPL
b.
BSD
d.
GRUB
a.
NTFS
c.
HFS+
b.
Ext3fs
d.
Ext2fs
a.
xnodes
c.
infNodes
b.
extnodes
d.
inodes
a.
superblock
c.
boot block
b.
data block
d.
inode block
a.
Lilo.conf
c.
Lilo.config
b.
Boot.conf
d.
Boot.config
a.
1989
c.
1994
b.
1991
d.
1995
a.
/dev/sda1
c.
/dev/hda1
b.
/dev/hdb1
d.
/dev/ide1
a.
International Organization of Standardization (ISO)
b.
Advanced SCSI Programming Interface (ASPI)
c.
CLV
d.
EIDE
a.
40-pin
c.
80-pin
b.
60-pin
d.
120-pin
a.
File Manager
f.
Volume
b.
Inode blocks
g.
ls
c.
ISO 9660
h.
Catalog
d.
LILO
i.
Finder
e.
Clumps
a.
Investigation plan
c.
Litigation path
b.
Scope creep
d.
Court order for discovery
a.
investigation plan
c.
evidence custody form
b.
risk assessment report
d.
investigation report
a.
risk assessment reports
c.
scope creeps
b.
investigation plans
d.
subpoenas
a.
Online
c.
Active
b.
Inline
d.
Live
a.
fuzzy
c.
permutation
b.
stemming
d.
similar-sounding
a.
live
c.
active
b.
indexed
d.
inline
a.
tracers
c.
bookmarks
b.
hyperlinks
d.
indents
a.
high-level language, assembler
b.
HTML editor, hexadecimal editor
c.
computer forensics tool, hexadecimal editor
d.
hexadecimal editor, computer forensics tool
a.
KFF
c.
NTI
b.
PKFT
d.
NSRL
a.
recovery
c.
integrity
b.
creep
d.
hiding
a.
Norton DiskEdit
c.
System Commander
b.
PartitionMagic
d.
LILO
a.
NTFS
c.
HFS
b.
FAT
d.
Ext2fs
a.
creep
c.
escrow
b.
steganography
d.
hashing
a.
Bit shifting
c.
Marking bad clusters
b.
Encryption
d.
Steganography
a.
steganography
c.
password backup
b.
key escrow
d.
key splitting
a.
NTI
c.
FTK
b.
BestCrypt
d.
PRTK
a.
Data
c.
Password
b.
Partition
d.
Image
a.
Brute-force
c.
Profile
b.
Dictionary
d.
Statistics
a.
Scope creeps
c.
Password recovery tools
b.
Remote acquisitions
d.
Key escrow utilities
a.
HDHOST
c.
DiskEdit
b.
DiskHost
d.
HostEditor
a.
Court orders for discovery
f.
PRTK
b.
Investigation plan
g.
Validating digital evidence
c.
Digital Intelligence PDWipe
h.
MD5
d.
Live search
i.
System Commander
e.
Cabinet
a.
Bitmap images
c.
Vector graphics
b.
Metafile graphics
d.
Line-art images
a.
graphics viewers
c.
image viewers
b.
image readers
d.
graphics editors
a.
Bitmap
c.
Vector
b.
Raster
d.
Metafiles
a.
JEIDA
c.
demosaicing
b.
rastering
d.
rendering
a.
EXIF
c.
PNG
b.
TIFF
d.
GIF
a.
Redundant
c.
Huffman
b.
Lossy
d.
Lossless
a.
carving
c.
saving
b.
slacking
d.
rebuilding
a.
EPS
c.
GIF
b.
BMP
d.
JPEG
a.
extension
c.
header data
b.
name
d.
size
a.
“A”
c.
“G”
b.
“C”
d.
“Z”
a.
GIF
c.
BMP
b.
JPEG
d.
TIFF
a.
hexadecimal
c.
disk
b.
image
d.
text
a.
TIFF
c.
JPEG
b.
XIF
d.
GIF
a.
Steganography
c.
Graphie
b.
Steganalysis
d.
Steganos
a.
Replacement
c.
Substitution
b.
Append
d.
Insertion
a.
Insertion
c.
Substitution
b.
Replacement
d.
Append
a.
EnCase
c.
DriveSpy
b.
iLook
d.
Outguess
a.
Encryption
c.
Compression
b.
Steganography
d.
Archiving
a.
international
c.
copyright
b.
forensics
d.
civil
a.
literary works
c.
architectural works
b.
motion pictures
d.
audiovisual works
a.
pantomimes and choreographic works
c.
literary works
b.
artistic works
d.
pictorial, graphic, and sculptural works
a.
Pixels
f.
Steganalysis tools
b.
Hex Workshop
g.
GIMP
c.
Adobe Illustrator
h.
XIF
d.
Microsoft Office Picture Manager
i.
Metafile graphics
e.
JPEG
- When intruders break into a network, they rarely leave a trail behind.
PTS: 1 REF: 442
- Network forensics is a fast, easy process.
PTS: 1 REF: 447
- PsList from PsTools allows you to list detailed information about processes.
PTS: 1 REF: 450
- With the Knoppix STD tools on a portable CD, you can examine almost any network system.
PTS: 1 REF: 451
- Ngrep cannot be used to examine e-mail headers or IRC chats.
PTS: 1 REF: 455
MULTIPLE CHOICE
- ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. | Broadcast forensics | c. | Computer forensics |
b. | Network forensics | d. | Traffic forensics |
PTS: 1 REF: 442
- ____ hide the most valuable data at the innermost part of the network.
a. | Layered network defense strategies | c. | Protocols |
b. | Firewalls | d. | NAT |
PTS: 1 REF: 442
- ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. | Network | c. | Criminal |
b. | Computer | d. | Server |
PTS: 1 REF: 442
- ____ can be used to create a bootable forensic CD and perform a live acquisition.
a. | Helix | c. | Inquisitor |
b. | DTDD | d. | Neon |
PTS: 1 REF: 445
- Helix operates in two modes:Windows Live (GUI or command line) and ____.
a. | command Windows | c. | command Linux |
b. | remote GUI | d. | bootable Linux |
PTS: 1 REF: 445
- A common way of examining network traffic is by running the ____ program.
a. | Netdump | c. | Coredump |
b. | Slackdump | d. | Tcpdump |
PTS: 1 REF: 448
- ____ is a suite of tools created by Sysinternals.
a. | EnCase | c. | R-Tools |
b. | PsTools | d. | Knoppix |
PTS: 1 REF: 450
- ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. | PsReg | c. | RegMon |
b. | RegExplorer | d. | RegHandle |
PTS: 1 REF: 450
- The PSTools ____ kills processes by name or process ID.
a. | PsExec | c. | PsKill |
b. | PsList | d. | PsShutdown |
PTS: 1 REF: 450
- ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. | Ethereal | c. | Tcpdump |
b. | Snort | d. | john |
PTS: 1 REF: 451
- ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. | chntpw | c. | memfetch |
b. | john | d. | dcfldd |
PTS: 1 REF: 451
- The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. | chntpw | c. | oinkmaster |
b. | john | d. | memfetch |
PTS: 1 REF: 451
- ____are devices and/or software placed on a network to monitor traffic.
a. | Packet sniffers | c. | Hubs |
b. | Bridges | d. | Honeypots |
PTS: 1 REF: 454
- Most packet sniffers operate on layer 2 or ____ of the OSI model.
PTS: 1 REF: 454
- Most packet sniffer tools can read anything captured in ____ format.
a. | SYN | c. | PCAP |
b. | DOPI | d. | AIATP |
PTS: 1 REF: 455
- In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a. | SYN flood | c. | brute-force attack |
b. | ACK flood | d. | PCAP attack |
PTS: 1 REF: 455
- ____ is the text version of Ethereal, a packet sniffer tool.
a. | Tcpdump | c. | Etherape |
b. | Ethertext | d. | Tethereal |
PTS: 1 REF: 455
- ____ is a good tool for extracting information from large Libpcap files.
a. | Nmap | c. | Pcap |
b. | Tcpslice | d. | TCPcap |
PTS: 1 REF: 455
- The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. | Honeynet | c. | Honeywall |
b. | Honeypot | d. | Honeyweb |
PTS: 1 REF: 458
- Machines used on a DDoS are known as ____simply because they have unwittingly become part of the attack.
a. | ISPs | c. | zombies |
b. | soldiers | d. | pawns |
PTS: 1 REF: 458
- A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. | honeywall | c. | honeynet |
b. | honeypot | d. | honeyhost |
PTS: 1 REF: 459
COMPLETION
- ____________________ is a layered network defense strategy developed by the National Security Agency (NSA).
- The term ____________________ means how long a piece of information lasts on a system.
- ____________________ logs record traffic in and out of a network.
- The PSTools ____________________ tool allows you to suspend processes.
ANS: PsSuspend
- The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.
MATCHING
Match each item with a statement below
a. | Cyberforensics | f. | Trojan horse |
b. | Ethereal | g. | Knoppix |
c. | Tripwire | h. | PsShutdown |
d. | PsGetSid | i. | oinkmaster |
e. | PsLoggedOn |
- displays who’s logged on locally
- displays the security identifier (SID) of a computer or user
- an audit control program that detects anomalies in traffic and sends an alert automatically
- usually refers to network forensics
- a bootable Linux CD intended for computer and network forensics
- shuts down and optionally restarts a computer
- helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms
- a network analysis tool
- type of malware
SHORT ANSWER
- Why is testing networks as important as testing servers?
- When are live acquisitions useful?
- What is the general procedure for a live acquisition?
- Detail a standard procedure for network forensics investigations.
- How should you proceed if your network forensic investigation involves other companies?
- Describe some of the Windows tools available at Sysinternals.
- What are some of the tools included with the PSTools suite?
- What is Knoppix-STD?
- What are some of the tools included with Knoppix STD?
- Explain The Auditor tool.
Chapter 12: E-mail Investigations
TRUE/FALSE
- For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.
PTS: 1 REF: 470
- You can always rely on the return path in an e-mail header to show the source account of an e-mail message.
PTS: 1 REF: 482
- E-mail programs either save e-mail messages on the client computer or leave them on the server.
PTS: 1 REF: 483
- All e-mail servers are databases that store multiple users’ e-mails.
PTS: 1 REF: 485
- Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.
PTS: 1 REF: 489
MULTIPLE CHOICE
- E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. | client/server architecture | c. | client architecture |
b. | central distribution architecture | d. | peer-to-peer architecture |
PTS: 1 REF: 469
- In an e-mail address, everything after the ____ symbol represents the domain name.
PTS: 1 REF: 470
- With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. | command-line | c. | prompt-based |
b. | shell-based | d. | GUI |
PTS: 1 REF: 472
- When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. | Ctrl+A | c. | Ctrl+V |
b. | Ctrl+C | d. | Ctrl+Z |
PTS: 1 REF: 473
- To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. | Options | c. | Properties |
b. | Details | d. | Message Source |
PTS: 1 REF: 473
- To retrieve an Outlook Express e-mail header right-click the message, and then click ____to open a dialog box showing general information about the message.
a. | Properties | c. | Details |
b. | Options | d. | Message Source |
PTS: 1 REF: 473
- For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. | prn | c. | prnt |
b. | d. | prt |
PTS: 1 REF: 477
- To view AOL e-mail headers click Action, ____ from the menu.
a. | More options | c. | Options |
b. | Message properties | d. | View Message Source |
PTS: 1 REF: 478
- To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. | Advanced | c. | Message Properties |
b. | General Preferences | d. | More information |
PTS: 1 REF: 480
- In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. | .ost | c. | .msg |
b. | .eml | d. | .pst |
PTS: 1 REF: 483
- ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
PTS: 1 REF: 484
- ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. | Continuous logging | c. | Circular logging |
b. | Automatic logging | d. | Server logging |
PTS: 1 REF: 485
- The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. | batch | c. | scripts |
b. | configuration | d. | .rts |
PTS: 1 REF: 487
- ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. | /etc/sendmail.cf | c. | /etc/var/log/maillog |
b. | /etc/syslog.conf | d. | /var/log/maillog |
PTS: 1 REF: 487
- Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. | /etc/Log | c. | /etc/var/log |
b. | /log | d. | /var/log |
PTS: 1 REF: 488
- Exchange logs information about changes to its data in a(n) ____ log.
a. | checkpoint | c. | transaction |
b. | communication | d. | tracking |
PTS: 1 REF: 489
- In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. | tracking | c. | temporary |
b. | checkpoint | d. | milestone |
PTS: 1 REF: 489
- The Novell e-mail server software is called ____.
a. | Sendmail | c. | Sawmill |
b. | GroupWise | d. | Guardian |
PTS: 1 REF: 491
- GroupWise has ____ ways of organizing the mailboxes on the server.
PTS: 1 REF: 491
- The GroupWise logs are maintained in a standard log format in the ____ folders.
a. | MIME | c. | QuickFinder |
b. | mbox | d. | GroupWise |
PTS: 1 REF: 491
- Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
a. | POP3 | c. | MIME |
b. | mbox | d. | SMTP |
PTS: 1 REF: 500
COMPLETION
- You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network).
- An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message.
- Administrators usually set e-mail servers to ____________________ logging mode.
- In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files.
- Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor.
MATCHING
Match each item with a statement below:
a. | Contacts | f. | Notepad |
b. | Pico | g. | CISCO Pix |
c. | syslogd file | h. | www.whatis.com |
d. | www.arin.net | i. | Pine |
e. | PU020101.db |
- Web site to check file extensions and match the file to a program
- command line e-mail program used with UNIX
- text editor used with Windows
- the first folder the GroupWise server shares
- text editor used with UNIX
- the electronic address book in Outlook
- a network firewall device
- a registry Web site
- includes e-mail logging instructions
SHORT ANSWER
- Describe how e-mail account names are created on an intranet environment.
- Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible.
- What are the steps for retrieving e-mail headers on Pine?
- What are the steps for viewing e-mail headers in Hotmail?
- What kind of information can you find in an e-mail header?
- Explain how to handle attachments during an e-mail investigation.
- Why are network router logs important during an e-mail investigation?
- What kind of information is normally included in e-mail logs?
- Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.
- Briefly explain how to use AccessData FTK to recover e-mails.
Chapter 13: Cell Phone and Mobile Device Forensics
TRUE/FALSE
- Many people store more information on their cell phones than they do on their computers.
PTS: 1 REF: 514
- Investigating cell phones and mobile devices is a relatively easy task in digital forensics.
PTS: 1 REF: 514
- TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.
PTS: 1 REF: 516
- Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.
PTS: 1 REF: 516
- Portability of information is what makes SIM cards so versatile.
PTS: 1 REF: 517
MULTIPLE CHOICE
- Developed during WWII, this technology,____, was patented by Qualcomm after the war.
a. | iDEN | c. | GSM |
b. | CDMA | d. | EDGE |
PTS: 1 REF: 515
- The ____ digital network divides a radio frequency into time slots.
a. | TDMA | c. | FDMA |
b. | CDMA | d. | EDGE |
PTS: 1 REF: 515
- The ____ network is a digital version of the original analog standard for cell phones.
a. | TDMA | c. | CDMA |
b. | EDGE | d. | D-AMPS |
PTS: 1 REF: 515
- The ____ digital network, a faster version of GSM, is designed to deliver data.
a. | TDMA | c. | EDGE |
b. | iDEN | d. | D-AMPS |
PTS: 1 REF: 515
- TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
a. | IS-136 | c. | IS-236 |
b. | IS-195 | d. | IS-361 |
PTS: 1 REF: 516
- Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
a. | EROM | c. | EEPROM |
b. | PROM | d. | ROM |
PTS: 1 REF: 517
- ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
a. | SD | c. | SDD |
b. | MMC | d. | SIM |
PTS: 1 REF: 517
- ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
a. | SDHCs | c. | CFs |
b. | PDAs | d. | MMCs |
PTS: 1 REF: 518
- The file system for a SIM card is a ____ structure.
a. | volatile | c. | hierarchical |
b. | circular | d. | linear |
PTS: 1 REF: 520
- The SIM file structure begins with the root of the system (____).
PTS: 1 REF: 520
- Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
a. | BitPim | c. | MOBILedit! |
b. | DataPilot | d. | Device Seizure |
PTS: 1 REF: 522
- In a Windows environment, BitPim stores files in ____ by default.
a. | My Documents\BitPim | c. | My Documents\BitPim\Forensics Files |
b. | My Documents\Forensics Files\BitPim | d. | My Documents\BitPim\Files |
PTS: 1 REF: 522
- ____ is a forensics software tool containing a built-in write blocker.
a. | GSMCon | c. | SIMedit |
b. | MOBILedit! | d. | 3GPim |
PTS: 1 REF: 522
COMPLETION
- So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________.
- Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________.
- Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel.
- The 3G standard was developed by the ______________________ under the United Nations.
- Mobile devices can range from simple phones to small computers, also called ______________________.
MATCHING
Match each item with a statement below:
a. | CDMA | c. | EDGE |
b. | iDEN | d. | ROM |
- proprietary protocol developed by Motorola
- nonvolatile memory
- standard developed specifically for 3G
- one of the most common digital networks, it uses the full radio frequency spectrum to define channels
SHORT ANSWER
- What is some of the information that can be stored in a cell phone?
- What is the bandwidth offered by 3G mobile phones?
- What are the three main components used for cell phone communications?
- Briefly describe cell phone hardware.
- Identify several uses of SIM cards.
- Identify and define three kinds of peripheral memory cards used with PDAs.
- How can you isolate a mobile device from incoming signals?
- What are the four categories of information that can be retrieved from a SIM card?
- What is the general procedure to access the content on a mobile phone SIM card?
- What are some of the features offered by SIMCon?
Chapter 14: Report Writing for High-Tech Investigations
TRUE/FALSE
- Besides presenting facts, reports can communicate expert opinion.
PTS: 1 REF: 530
- A verbal report is more structured than a written report.
PTS: 1 REF: 532
- If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.”
PTS: 1 REF: 535
- As with any research paper, write the report abstract last.
PTS: 1 REF: 536
- When writing a report, use a formal, technical style.
PTS: 1 REF: 537
MULTIPLE CHOICE
- Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____.
a. | Microsoft Word (DOC) | c. | Encapsulated Postscript (EPS) |
b. | Portable Document Format (PDF) | d. | Postscript (PS) |
PTS: 1 REF: 531
- A(n) ____is a document that lets you know what questions to expect when you are testifying.
a. | written report | c. | examination plan |
b. | affidavit | d. | subpoena |
PTS: 1 REF: 532
- You can use the ____ to help your attorney learn the terms and functions used in computer forensics.
a. | verbal report | c. | final report |
b. | preliminary report | d. | examination plan |
PTS: 1 REF: 532
- A written report is frequently a(n) ____ or a declaration.
a. | subpoena | c. | deposition |
b. | affidavit | d. | perjury |
PTS: 1 REF: 532
- If a report is long and complex, you should provide a(n) ____.
a. | appendix | c. | table of contents |
b. | glossary | d. | abstract |
PTS: 1 REF: 536
- A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
a. | written report | c. | examination plan |
b. | verbal report | d. | cross-examination report |
PTS: 1 REF: 532
- In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence.
a. | hypothetical | c. | challenging |
b. | nested | d. | contradictory |
PTS: 1 REF: 533
- An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states.
a. | 705 | c. | 805 |
b. | 755 | d. | 855 |
PTS: 1 REF: 534
- Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney.
a. | subpoena | c. | publishing |
b. | discovery | d. | deposition |
PTS: 1 REF: 535
- A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.
a. | low-risk | c. | high-risk |
b. | middle-risk | d. | no-risk |
PTS: 1 REF: 535
- The abstract should be one or two paragraphs totaling about 150 to ____ words.
a. | 200 | c. | 300 |
b. | 250 | d. | 350 |
PTS: 1 REF: 536
- ____ provide additional resource material not included in the body of the report.
a. | Conclusion | c. | Discussion |
b. | References | d. | Appendixes |
PTS: 1 REF: 536
- Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.
a. | legal-sequential | c. | arabic-sequential |
b. | roman-sequential | d. | letter-sequential |
PTS: 1 REF: 538
- A report using the ____ numbering system divides material into sections and restarts numbering with each main section.
a. | roman-sequential | c. | legal-sequential |
b. | decimal | d. | indent |
PTS: 1 REF: 538
- In the main section of your report, you typically cite references with the ____ enclosed in parentheses.
a. | year of publication and author’s last name |
b. | author’s last name |
c. | author’s last name and year of publication |
d. | year of publication |
PTS: 1 REF: 541
- Save broader generalizations and summaries for the report’s ____.
a. | appendixes | c. | conclusion |
b. | introduction | d. | discussion |
PTS: 1 REF: 541
- The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
a. | abstract | c. | introduction |
b. | conclusion | d. | reference |
PTS: 1 REF: 541
- If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.
a. | conclusions | c. | references |
b. | discussions | d. | appendixes |
PTS: 1 REF: 542
- Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format.
a. | c. | PS | |
b. | HTML | d. | TXT |
PTS: 1 REF: 543
- Files with extensions .ods and ____ are created using OpenOffice Calc.
a. | .sxc | c. | .dcx |
b. | .xls | d. | .qpr |
PTS: 1 REF: 543
- Files with extension ____ are created using Microsoft Outlook Express.
a. | .sxc | c. | .dbx |
b. | .doc | d. | .ods |
PTS: 1 REF: 543
COMPLETION
- Lawyers use services called _________________________(libraries), which store examples of expert witnesses’ previous testimony.
- The report body consists of the introduction and _________________________ sections.
- When writing a report, _________________________ means the tone of language you use to address the reader.
- _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information.
- The ______________________________ system is frequently used when writing pleadings.
MATCHING
Match each item with a statement below
a. | Decimal numbering | f. | Verbal report |
b. | Lay witness | g. | Spoliation |
c. | FTK | h. | Conclusion section |
d. | Examination plan | i. | MD5 |
e. | Signposts |
- draw reader’s attention to a point in your report.
- a report layout system
- used by an attorney to guide an expert witness in his or her testimony
- computer forensics software tool
- lawyers jargon for destroying or concealing evidence
- stands for Message Digest 5
- typically takes place in an attorney’s office where the attorney requests your consultant’s report
- starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion
- a witness testifying to personally observed facts
SHORT ANSWER
- What are the report requirements for civil cases as specified on Rule 26, FRCP?
- Briefly explain how to limit your report to specifics.
- What are the areas of investigation usually addressed by a verbal report?
- Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence.
- What are the four conditions required for an expert witness to testify to an opinion or conclusion?
- What is the basic structure of a report?
- Provide some guidelines for writing an introduction section for a report.
- What do you need to consider to produce clear, concise reports?
- Explain how to use supportive material on a report.
- How should you explain examination and data collection methods?
Chapter 15: Expert Testimony in High-Tech Investigations
TRUE/FALSE
- As an expert witness, you have opinions about what you have found or observed.
PTS: 1 REF: 558
- Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.
PTS: 1 REF: 559
- As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
PTS: 1 REF: 559
- Like a job resume, your CV should be geared for a specific trial.
PTS: 1 REF: 561
- Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.
PTS: 1 REF: 565
MULTIPLE CHOICE
- When cases go to trial, you as a forensics examiner can play one of ____ roles.
PTS: 1 REF: 558
- When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. | technical/scientific | c. | lay witness |
b. | expert | d. | deposition |
PTS: 1 REF: 558
- Validate your tools and verify your evidence with ____ to ensure its integrity.
a. | hashing algorithms | c. | steganography |
b. | watermarks | d. | digital certificates |
PTS: 1 REF: 559
- For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.
a. | testimony | c. | examination plan |
b. | CV | d. | deposition |
PTS: 1 REF: 561
- If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
PTS: 1 REF: 561
- ____ is a written list of objections to certain testimony or exhibits.
a. | Defendant | c. | Plaintiff |
b. | Empanelling the jury | d. | Motion in limine |
PTS: 1 REF: 562
- Regarding a trial, the term ____ means rejecting potential jurors.
a. | voir dire | c. | strikes |
b. | rebuttal | d. | venireman |
PTS: 1 REF: 563
- ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination.
a. | Rebuttal | c. | Closing arguments |
b. | Plaintiff | d. | Opening statements |
PTS: 1 REF: 563
- If a microphone is present during your testimony, place it ____ to eight inches from you.
PTS: 1 REF: 565
- Jurors typically average just over ____ years of education and an eighth-grade reading level.
PTS: 1 REF: 565
- ____ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. | Conflict of interest | c. | Deposition |
b. | Warrant | d. | Conflicting out |
PTS: 1 REF: 568
- ____ evidence is evidence that exonerates or diminishes the defendant’s liability.
a. | Rebuttal | c. | Inculpatory |
b. | Plaintiff | d. | Exculpatory |
PTS: 1 REF: 569
- You provide ____ testimony when you answer questions from the attorney who hired you.
a. | direct | c. | examination |
b. | cross | d. | rebuttal |
PTS: 1 REF: 569
- The ____ is the most important part of testimony at a trial.
a. | cross-examination | c. | rebuttal |
b. | direct examination | d. | motions in limine |
PTS: 1 REF: 569
- Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. | setup | c. | compound |
b. | open-ended | d. | rapid-fire |
PTS: 1 REF: 569
- Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions.
a. | hypothetical | c. | setup |
b. | attorney | d. | nested |
PTS: 1 REF: 570
- Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions.
a. | leading | c. | compound |
b. | hypothetical | d. | rapid-fire |
PTS: 1 REF: 571
- A ____differs from a trial testimony because there is no jury or judge.
a. | rebuttal | c. | civil case |
b. | plaintiff | d. | deposition |
PTS: 1 REF: 573
- There are two types of depositions: ____ and testimony preservation.
a. | examination | c. | direct |
b. | discovery | d. | rebuttal |
PTS: 1 REF: 573
- Discuss any potential problems with your attorney ____ a deposition.
a. | before | c. | during |
b. | after | d. | during direct examination at |
PTS: 1 REF: 574
- A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule.
a. | administrative | c. | legislative |
b. | judicial | d. | direct |
PTS: 1 REF: 575
COMPLETION
- The ______________________ of evidence supports the integrity of your evidence.
- Depending on your attorney’s needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________.
- _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury.
- At a trial, _____________________ are statements that organize the evidence and state the applicable law.
- The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial.
MATCHING
Match each item with a statement below
a. | Plaintiff | f. | CV |
b. | Motion in limine | g. | Testimony preservation deposition |
c. | Voir dire of venireman | h. | Voir dire |
d. | Opening statements | i. | MD5 |
e. | Discovery deposition |
- part of the discovery process for trial
- presents the case during a trial
- provide an overview of the case during a trial
- questioning potential jurors to see whether they’re qualified
- usually requested by your client to preserve your testimony in case of schedule conflicts or health problems
- a hashing algorithm
- lists your professional experience
- an expert witness qualification phase
- allows the judge to decide whether certain evidence should be admitted when the jury isn’t present
SHORT ANSWER
- What are the differences between a technical or scientific witness and an expert witness?
- What should you do when preparing for testimony?
- What are some of the questions you should consider when preparing your testimony?
- What are some of the technical definitions that you should prepare before your testimony?
- What are some of the reasons to avoid contact with news media during a case?
- What are the procedures followed during a trial?
- What should you do when you find exculpatory evidence?
- How can you deal with rapid-fire questions during a cross-examination?
- Explain the differences between discovery deposition and testimony preservation deposition.
- Briefly describe judicial hearings.
Chapter 16: Ethics for the Expert Witness
TRUE/FALSE
- People need ethics to help maintain their balance, especially in difficult and contentious situations.
PTS: 1 REF: 596
- In the United States, there’s no state or national licensing body for computer forensics examiners.
PTS: 1 REF: 597
- Experts should be paid in full for all previous work and for the anticipated time required for testimony.
PTS: 1 REF: 600
- Expert opinions cannot be presented without stating the underlying factual basis.
PTS: 1 REF: 601
- The American Bar Association (ABA) is a licensing body.
PTS: 1 REF: 603
MULTIPLE CHOICE
- The most important laws applying to attorneys and witnesses are the ____.
a. | professional codes of conduct | c. | rules of evidence |
b. | rules of ethics | d. | professional ethics |
PTS: 1 REF: 597
- Computer forensics examiners have two roles: scientific/technical witness and ____ witness.
a. | expert | c. | discovery |
b. | direct | d. | professional |
PTS: 1 REF: 597
- Attorneys search ____ for information on expert witnesses.
a. | disqualification banks | c. | examination banks |
b. | deposition banks | d. | cross-examination banks |
PTS: 1 REF: 598
- ____ questions can give you the factual structure to support and defend your opinion.
a. | Setup | c. | Rapid-fire |
b. | Compound | d. | Hypothetical |
PTS: 1 REF: 601
- FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. | 702 | c. | 704 |
b. | 703 | d. | 705 |
PTS: 1 REF: 601
- FRE ____ describes whether basis for the testimony is adequate.
a. | 700 | c. | 702 |
b. | 701 | d. | 703 |
PTS: 1 REF: 601
- The ABA’s ____ contains provisions limiting the fees experts can receive for their services.
a. | Code 703 | c. | Rule 26 |
b. | Model Code | d. | Code 26-1.a |
PTS: 1 REF: 603
- The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. | ISFCE | c. | ABA |
b. | IACIS | d. | HTCIA |
PTS: 1 REF: 603
- ____ are the experts who testify most often.
a. | Civil engineers | c. | Chemical engineers |
b. | Computer forensics experts | d. | Medical professionals |
PTS: 1 REF: 604
- ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. | AMA’s law | c. | APA’s Ethics Code |
b. | ABA’s Model Rule | d. | ABA’s Model Codes |
PTS: 1 REF: 605
- The ____ Ethics Code cautions psychologists about the limitations of assessment tools.
a. | ABA’s | c. | AMA’s |
b. | APA’s | d. | ADA’s |
PTS: 1 REF: 605
COMPLETION
- _____________________ are the rules you internalize and use to measure your performance.
- _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.
- Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.”
- The ____________________ is the foundation of medical ethics.
- For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct.
MATCHING
Match each item with a statement below:
a. | Ethics | c. | Disqualification |
b. | Federal Rules of Evidence (FRE) | d. | IACIS |
- provides a well-defined, simple guide for expected behavior of computer forensics examiners
- prescribe the methods by which experts appear at trial
- one of the effects of violating court rules or laws
- help you maintain your self-respect and the respect of your profession
SHORT ANSWER
- Briefly describe the issues related to an attorney’s “opinion shopping.”
- What are some of the factors courts have used in determining whether to disqualify an expert?
- Describe some of the traps for unwary experts.
- What are some of the most obvious ethical errors?
- What are some of the guidelines included in the ISFCE code of ethics?
- What are some of the requirements included in the HTCIA core values?
- What are some of standards for IACIS members that apply to testifying?
- What are the five recommendations set out by the AMA’s policy on expert witness testimony?
- Why is it difficult to enforce any professional organization’s ethical guidelines?
- What are the ethical responsibilities owed to you by your attorney?