Domain 9 - Legal, Regulations, Investigations, and Compliance

Question 1

11. There are three primary kinds of spoofing. They are e-mail spoofing, web-site spoofing, and:

a. System masquerades
b. Gopher spoofing
c. IP spoofing
d. Social engineering

Answer 1

Explanation: Answer c is the correct answer, and is taken verbatim from Investigating Computer-Related Crime. The other answers are incorrect…for a), a system masquerade is not a form of spoofing, it replaces a legitimate computer with the masquerading computer; for b), gopher spoofing is not a primary kind of spoofing, but a subset of P spoofing; and d) is not a type of spoofing at all, but a type of user masquerade.

Question 2

18. A Trojan horse differs from a virus in the following two very important aspects:

a. First, it is not found on Unix boxes; second, it could stand alone as an independent executable file.
b. First, it does not replicate or infect other files; second, it has a limit to how many times it can occur on a system.
c. First, it does not replicate or infect other files; second, it cannot be found by anti-virus software using virus signature files.
d. First, it does not replicate or infect other files; second, it could stand alone as an independent executable file.

Answer 2

Explanation: Answer d is the correct answer, and is taken verbatim from Investigating Computer-Related Crime. The other answers are incorrect. Trojans CAN be found on Unix boxes, it can occur many times on a system, and it can not typically be found using virus signature files.

Question 3

22. The U.S. Freedom of Information Act (FOIA) regulates:

a. Dissemination of and access to data.
b. How government agencies collect, use, maintain or disseminate information pertaining to individuals.
c. Private industry in collecting, using, maintaining and disseminating information pertaining to individuals.
d. What constitutes records for the purposes of the Internal Revenue laws.

Answer 3

Explanation: Answer a is the correct answer, and is taken verbatim from the cited reference. The other answers are incorrect because they each describe other laws. Answer b is incorrect because it describes the Privacy Act of 1974. Answer c is incorrect because it describes the Fair Credit Reporting Act. Answer d is incorrect because it describes IRS Revenue Ruling 71-20.

Question 4

36. The business records exception to the hearsay rule, Fed. R. Evid. 803(6), in general refers to any memorandum, report, record or data compilation (1) made at or near the time of the event, and (2):

a. By a customer who was conducting business with the organization.
b. By, or from information transmitted by, an employees during normal business hours.
c. Transmitted using a digital signature.
d. By, or from information transmitted by, a person with knowledge if the record was kept in the course of a regularly conducted business activity, and it was the regular practice of that business activity to make the record

Answer 4

Explanation: Answer d is the correct answer, and is taken verbatim from Investigating Computer-Related Crime. The other answers are incorrect.

Question 5

38. Intrusion management is a four-step process. The steps are:

a. Avoidance, testing, detection and investigation
b. Identification, authentication, investigation and prosecution
c. Avoidance, detection, investigation and prosecution
d. Detection, communication, investigation and recovery

Answer 5

Explanation: Answer a is the correct answer, and is taken verbatim from Investigating Computer-Related Crime. The other answers are incorrect because identification and authentication (answer b) is a functional area of vulnerability, but not part of the four-step process; prosecution (answer c) can be a result of investigation, but not part of the four-step process itself; and, communication (answer d) should be part of the detection and investigation processes, and recovery is a subset of the detection and investigation processes as well.

Question 6

59. The first case successfully prosecuted under the Computer Fraud and Abuse Act of 1986 was:

a. Robert T. Morris worm
b. Kevin Mitnick computer hacking
c. Melissa virus
d. Clifford Stoll’s cyber-spy case

Answer 6

Explanation: Answer a is the correct answer, and is taken verbatim from the cited reference. The other answers are incorrect because they were not the first case successfully prosecuted under the Computer Fraud and Abuse Act of 1986.

Question 7

61. There are two primary types of message flooding, they are:

a. Disabling services and freezing up X-Windows
b. Malicious use of telnet and packet flooding
c. Broadcast storms and attacking with LYNX clients
d. E-mail and log flooding

Answer 7

Explanation: Answer d is the correct answer, and is taken verbatim from the cited reference. Answers a, b and c all describe attacks, but not message flooding attacks.

Question 8

87. According to Eugene Spafford, computer break-ins are ethical only:

a. To catch a person committing fraud.
b. To prove the security of a computer network system.
c. In extreme situations, such as a life-critical emergency.
d. Whenever corporate management has been forewarned to the break-in attempts.

Answer 8

Explanation: Answer c is the correct answer, and is taken verbatim from “Ermann, Williams & Shauf”. The other answers are incorrect because they were not cited by Dr. Spafford.

Question 9

107. On a DOS disk, the space taken up by the “real” file when you erase it is called:

a. Slack space
b. Unallocated space
c. Swap files
d. Cache files

Answer 9

Explanation: Answer b is the correct answer, and is taken verbatim from Stephenson. The other answers are incorrect. Answers a, b and c all describe other types of space on a DOS disk, but they do not fit the definition.

Question 10

111. “…to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.” Is taken from the:

a. Chain of custody rule
b. Hearsay rule
c. Best evidence rule
d. Distinctive evidence rule

Answer 10

Explanation: Answer c is the correct answer, and is taken verbatim from Stephenson. The other answers are incorrect, but they all are distracters.

Question 11

118. The U.S. Economic Espionage Act of 1996 defines someone as undertaking in economic espionage if they knowingly perform any of five activities. One of these activities includes:

a. Intentionally, without authorization to access any nonpublic computer of a department of agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the government of the United States.
b. Does not obtain consent for the collection, use, or disclosure of personal information
c. Causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.
d. Receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization.

Answer 11

Explanation: Answer d is the correct answer, and is taken verbatim from BS 7799. The other answers are incorrect. Answer a is incorrect, it is from the Computer Fraud and Misuse Act. Answer b is incorrect; it is from the Online Privacy Protection Act of 1999. Answer c is incorrect; it is from the Computer Fraud and Misuse Act.

Question 12

131. U.S. Criminal law identifies a crime as being a wrong against:

a. A private citizen
b. Society
c. The U.S. government
d. Taxpayers

Answer 12

Explanation: Answer b is the correct answer, and is taken verbatim from the reference cited. The other answers are incorrect because they are not specifically addressed within any definitions of U.S. criminal law definitions. However, they are sometimes specifically addressed within specific state and local laws.

Question 13

133. What kind of cases are much easier to convict because the burden of proof required for a conviction is much less:

a. Misdemeanor
b. Civil
c. Criminal
d. Domestic

Answer 13

Explanation: Answer b is the correct answer, and is taken verbatim from the cited reference. The other answers are incorrect since a criminal case requires a preponderance of evidence beyond a reasonable doubt. “Misdemeanor” and “domestic” are not considered case classifications.

Question 14

136. U.S. criminal law falls under two main jurisdictions, they are:

a. Federal and local
b. County and local
c. Federal and state
d. National and international

Answer 14

Explanation: Answer c is the correct answer, and is taken verbatim from the reference cited. The other answers are incorrect because local and county jurisdictions do not address criminal law because they are addressed by federal and state laws. There is not formal terminology with regard to national or international jurisdictions.

Question 15

137. Real evidence is:

a. Things such as tools used in the crime.
b. Made up of tangible objects that prove or disprove guilt.
c. Evidence used to aid the jury in the form of a model, experiment, chart, or an illustration offered as proof.
d. Oral testimony, whereby the knowledge is obtained from any of the witness’s five senses.

Answer 15

Explanation: Answer b is the correct answer, and is taken verbatim from the reference cited below. Answer a is an example of physical evidence. Answer c is an example of demonstrative evidence. Answer d is an example of direct evidence

Question 16

139. According to RFC 1087, any activity is characterized as unethical and unacceptable that purposely:

a. Destroys the integrity of computer-based information.
b. Results in fraud.
c. Threatens e-mail message delivery
d. Participates in gambling.

Answer 16

Explanation: Answer a is the correct answer, and is taken verbatim from the reference cited. The other activities that also fit this definition include:

• Seeks to gain unauthorized access to the resources of the Internet.
• Disrupts the intended use of the Internet
• Wastes resources (people, capacity, computers) through such actions
• Compromises the privacy of users
• Involves negligence in the conduct of Internet-wide experiments
The other answers are incorrect.

Question 17

148. Physical evidence is:

a. Things such as tools used in the crime.
b. Evidence presented to the court in the form of business records, manuals, printouts, etc.
c. Evidence used to aid the jury in the form of a model, experiment, chart, or an illustration offered as proof.
d. Oral testimony, whereby the knowledge is obtained from any of the witness’s five senses.

Answer 17

Explanation: Answer a is the correct answer, and is taken verbatim from the reference cited. Answer b is an example of documentary evidence, and is incorrect. Answer c is incorrect since it is an example of demonstrative evidence. Answer d is also incorrect because it is an example of direct evidence.

Question 18

158. Direct evidence is:

a. Things such as tools used in the crime.
b. Evidence presented to the court in the form of business records, manuals, printouts, etc.
c. Evidence used to aid the jury in the form of a model, experiment, chart, or an illustration offered as proof.
d. Oral testimony, whereby the knowledge is obtained from any of the witness’s five senses.

Answer 18

Explanation: Answer d is the correct answer, and is taken verbatim from the cited reference. Answer a is incorrect as it is an example of physical evidence. Answer b is not correct because it is an example of documentary evidence. Answer c is also wrong since it is an example of demonstrative evidence.

Question 19

160. Which of the following is not one of the Ten Commandments of Computer Ethics published by the Computer Ethics Institute:

a. Thou shalt not use a computer to harm other people.
b. Thou shalt not use a computer to steal.
c. Thou shalt not use a computer to perform a denial of service attack.
d. Thou shalt not use use other people’s computer resources without authorization or proper compensation.

Answer 19

Explanation: Answer c is the correct answer, and is taken verbatim from the published Ten Commandments of Computer Ethics published by the Computer Ethics Institute. The other answers are incorrect because they all appear in the Ten Commandments.

Question 20

177. U.S. criminal conduct is broken down into two classifications depending upon severity. They are:

a. First offence and repeat offence
b. Juvenile and adult
c. Tort and felony
d. Felony and misdemeanor

Answer 20

Explanation: Answer d is the correct answer, and is taken verbatim from the reference below. The other answers are incorrect because they are not classifications of criminal conduct, but are general terminology used within criminal cases, and a tort is another name for civil law.

Question 21

195. U.S. Title 18 of the U.S. Code, Section 1030, also known as the Computer Fraud and Abuse Act, covers which of the following:

a. Obtaining free telephone service by fraud
b. Disrupting computer services
c. Monitoring employee communications
d. Trafficking in passwords

Answer 21

Explanation: Answer d is the correct answer, and is taken verbatim from the reference cited. Answers a and b are covered by various state and local laws and are incorrect. Answer c is covered by the Electronic Communications Privacy Act and is also incorrect.

Question 22

199. There are several types of detection methods for finding viruses. The most common is the:

a. Heuristic Scanner
b. Pattern Scanner
c. Integrity Checker
d. Behavior Blocker

Answer 22

Explanation: Answer b is the correct answer, and is taken verbatim from the cited reference. Pattern scanners work based upon the “dissection” of the virus, isolation of a string of code thought to be unique to the virus, and comparison of the suspected virus with a database of those known signatures. Answer a, heuristic scanner, is incorrect because it does a behavior-based analysis. Such scanners often cause false alarms. Answer c, integrity checker, produces a database of signatures of files on a PC that represent the files in the uninfected state. Answer d, behavior blocker, looks for combinations of disallowed events to occur and stops program execution and warns the user.

Question 23

211. Before evidence can be presented in a U.S. case, it must be competent, relevant, and material to the issue, and it must:

a. Be presented in compliance with the rules of evidence.
b. Be returned to the owner following case closure.
c. Be reliable
d. Be relevant

Answer 23

Explanation: Answer a is the correct answer, and is taken verbatim from the reference cited. The other answers are incorrect. Answer b is incorrect since evidence does not necessarily have to be returned to the owner; it depends upon the situation. Answer c is not correct because reliability is not a specifically stated requirement for evidence within U.S. cases; again it depends upon the case and the quality or availability of other evidence Answer d is a restatement of a requirement from the question.

Question 24

214. There are four types of computer-generated evidence. They are visual output on the monitor, film recorder (includes magnetic representation on disk, tape, or cartridge, and optical representation on CD), printed evidence on a plotter, and:

a. Voice mail messages
b. Scanned images
c. Generated business files
d. Printed evidence on a printer

Answer 24

Explanation: Answer d is the correct answer, and is taken verbatim from the reference below. The other answers are incorrect since they are not necessarily generated by computers. Answer a is considered real evidence. Answer b is considered physical evidence. And, answer c is considered documentary evidence.

Question 25

235. One reason why intellectual property is a special ethical issue when applied to software is because:

a. Computer software is expensive to create.
b. Computer software typically has many features.
c. Computer software is easy to reproduce and distribute.
d. Computer software takes a long time to program.

Answer 25

Explanation: Answer c is the correct answer, and is taken verbatim from the cited reference. The other answers while possibly applicable are incorrect because they are not the best answer to the question.