Module 40 - Forensics Procedures - Q&A

Question 1

When a forensics investigator inventories electronic components at the scene of the crime, all of the following should be included in the inventory sheet, except.
A. Investigator's name
B. Time of day
C. Evidence inventory number
D. File hash

Answer 1

D. File hashes are generated on individual files located on the electronic storage media, after seizing components at the crime scene.

Question 2

In addition to collecting evidence that may prove a person's guilt, an investigator should also include \_\_\_\_ evidence that may prove the suspect's innocence.
A. circumstantial
B. inculpatory
C. exculpatory
D. demonstrative

Answer 2

C. In addition to collecting evidence that may prove a person’s guilt, an investigator should also include exculpatory evidence that may prove the suspect’s innocence.

Question 3

When you are collecting evidence at the scene of the crime, electronic components should be stored in which type of containers?
A. Plastic bags
B. Paper bags
C. Metal containers
D. Anti-static bags

Answer 3

D. When collecting evidence at the scene of the crime, you should store electronic components in anti-static bags to prevent damage to them.

Question 4

Which two United States evidence guidelines provide standards of submitting evidence into criminal and civil court cases? (Choose two.)
A. Federal Rules of Evidence
B. 4th Amendment of the U.S. Constitution
C. Federal Rules for Civil Procedure
D. Electronic Communications Privacy Act

Answer 4

A, C. The Federal Rules of Evidence and the Federal Rules for Civil Procedure are two standards that dictate how evidence should be introduced into criminal and civil courts, respectively.

Question 5

You have arrived at the scene of a possible crime and are going to collect digital evidence from a workstation. Which of the following types of evidence is the most volatile and should be collected first?
A. Files from a USB stick
B. Contents of RAM
C. Deleted files from the hard drive
D. Graphic images from a CD-ROM

Answer 5

B. The contents of the system RAM are the most volatile evidence on the workstation and should be collected first.

Question 6

You are the first responder to a potential computer incident in a company involving the employee’s workstation. What is the first step should take when you arrive at the scene?
A. Unplug the workstation.
B. Secure the scene.
C. Capture the contents of RAM.
D. Inventory the workstation and its peripherals.

Answer 6

B. Securing the area is the first step a first responder should take in investigating a potential computer-related incident.

Question 7

Which of the following should be immediately established when collecting electronic components as evidence?
A. Authority over the investigation
B. Guilt of the suspect
C. Chain-of-custody
D. Sequence of events and timeline

Answer 7

C. A chain-of-custody should be established immediately when collecting evidence from the scene of a crime.

Question 8

Which of the following is critical to establishing an event order and timeframe of an incident?
A. Timestamps
B. Chain-of-custody
C. Evidence inventory
D. Contents of RAM

Answer 8

A. Timestamps are critical to establishing the order in which the events occurred and a working timeframe for an incident.

Question 9

Which of the following is computed for an evidence file to ensure its integrity?
A. MAC times
B. File size
C. AES sum
D. Message digest

Answer 9

D. A message digest or hash value is computed for a digital evidence file to ensure its integrity and determine if it has been altered or changed.

Question 10

Which of the following is used to actively monitor and capture network traffic?
A. Sniffer
B. Hardware imager
C. Log files
D. Proxy server

Answer 10

A. A sniffer is used to capture active network traffic.