Chapter 15 Computer Forensics and Investigations

Which of the following is not considered a potential source of digital evidence?

A. Internet of Things (IoT) device

B. Mobile phone

C. Faxed document

D. Network router

C. Faxed Document

___________ includes reviewing transaction logs and uses real-time monitoring to find evidence.

Network analysis

Which of the following is best described as "whenever two objects come in contact, a transfer of material occurs"?

A. Fruit of the poisonous tree doctrine

B. Locard's exchange principle

C. The Daubert test

d. Plain view doctrine

B. Locards exchange principle

What are CCE, CCFE, CFCE, and GCFA examples of?

Computer forensics certifications

What is a test for measuring the reliability of a scientific methodology?

Daubert

During which step of a computer crime investigation is the crime scene typically documented?

Preservation

What is a forensic duplicate image?

A bit-by-bit copy of the original storage media

Which of the following cannot be examined on a forensic duplicate image?

A. Volatile data cache

B. File download history

C. Internet browsing history

D. Instant message or internet chat logs

D. Instant message or internet chat logs

A computer or any electronic device can play one of four roles in computer crime. Cyberstalking and phishing scams are examples of which role?

To facilitate a crime

Alice is a computer forensic examiner. She is at a crime scene and finds a computer that must be taken into evidence. She tags the computer, notes that a network cable was attached, and removes the computer from the scene. At which step of the investigative process is Alice most likely working?

Collection

All of the following statements are true except:

A. to be admissible, evidence must be collected in a lawful manner.

B. a judge or jury can consider only admissible evidence when they decide cases.

C. forensic examiners must use established practices and procedures when collecting evidence.

D. all evidence is admissible as long as it is reproducible in a tangible form.

D. all evidence is admissible as long as it is reproducible in a tangible form.

During which step of a computer crime investigation is expert witness testimony taken?

Presentation

A judge or jury can consider only __________ evidence when deciding cases.

admissible

Why can non-probative evidence be excluded from trial?

Because it is not relevant

At the federal level, what is the name of the main guidance regarding how parties introduce evidence at trial?

Federal Rules of Evidence

Which of the following prevents the government from using illegally gathered evidence at a criminal trial?

A. Fruit of the poisonous tree doctrine

B. Locard's exchange principle

C. The Daubert test

D. Probative evidence

A. Fruit of the poisonous tree doctrine

What does the best evidence rule require?

That original documents be used at trial

Which of the following is not an exception to the Fourth Amendment's requirements for search warrants?

A. Consent

B. Plain view doctrine

C. Interference

D. Exigent circumstances

C. Interface

Which of the following is true of the Pen Register and Trap and Trace Statute?

A. No one is allowed to install wiretaps on telephones to intercept telephonic communications.

B. A court order is required to use pen register or trap and trace devices to intercept electronic communications transmission data.

C. No one may access the contents of stored communications unless it is allowed somewhere else in the statute.

D. This law applies to communications content.

B. A court order is required to use pen register or trap and trace devices to intercept electronic communications

A(n) _______ happens when a person's reasonable expectation of privacy in a place or thing is compromised. A(n) ______ happens when the government interferes with a person's property.

search, seizure

True or False? Computer forensics is the scientific process for examining data stored on, received from, or transmitted by electronic devices.

True

True or False? During the identification phase of an investigation, computer forensic examiners learn about the crime, event, or activity being investigated.

True

True or False? During the collection step of an investigative process, computer forensic examiners secure the crime scene and any electronic devices and ensure no one tampers with or modifies evidence.

False

True or False? The examination step of an investigative process is sometimes referred to as the "bag and tag" step.

False

True or False? The chain of custody shows who obtained evidence, where and when it was obtained, who secured it, and who had control or possession of it.

True

True or False? A forensic duplicate image is generally made by the forensic examiner during the preservation step of the investigative process.

False

True or False? The test for measuring the reliability of a scientific methodology in computer forensic investigations is called the Daubert test.

True

True or False? A reasonable Daubert test question is: "Is there a known error rate for the tool?"

True

True or False? Regarding forensic investigations, all rules and processes apply equally to both law enforcement and private entities.

False

True or False? A search warrant is a court order, and probable cause is a burden of proof.

True

True or False? The Fourth Amendment protects people from unreasonable government search and seizure.

True

True or False? Probable cause occurs when a person's reasonable expectation of privacy in a place or thing is compromised.

False

True or False? To get a search warrant, law enforcement must clearly specify the criminal activity that is being investigated.

True

True or False? A warrant is always required to use "silver platter" evidence in court.

False

True or False? The exception that allows law enforcement to make a warrantless search in order to protect their safety and to ensure that evidence is not destroyed during an arrest is known as the protective sweep exception.

True

True or False? A court-recognized exception to the Fourth Amendment's search warrant requirements is exigent circumstances, under which law enforcement does not need a warrant to search for weapons or contraband on the body of an arrested person.

False

True or False? Relevance of evidence can occasionally be a problem for digital evidence because it is sometimes hard for judges and juries to understand very technical information.

True

True or False? In a search incident to a lawful arrest, law enforcement is required to have a warrant to search for weapons or contraband on the body of an arrested person.

False

True or False? Law enforcement may conduct inventory searches without a warrant when they arrest a suspect. These searches are allowed when they are made for non-investigative purposes.

True

True or False? Records recovered from a computer can be hearsay, depending on how they were created originally.

True