Guide to Computer Forensics and Investigations - Final Practice

Loella and her business partner need to expand rapidly but do not have the resources to build out a new server room nor can they afford a person to help build and run it. What cloud service should they use?

Loella and her business partner should use infrastructure as a service because that service model provides the hardware and personnel to maintain it. All Loella and her partner must do is pay for the time they use it. Also, they can add capacity during peak times and remove capacity when they do not need it.

Zel is investigating a case that requires review of a suspect's data on multiple social media sites over multiple jurisdictions around the world. As an investigator, Zel is not allowed to physically touch or retrieve information from the machines. How must Zel go about getting evidence from these social media sites?

Zel must get a warrant or subpoena to get the information, and then the vendors must supply it to him. Without a warrant or subpoena, social media sites do not have to give Zel anything.

Ursula needs to perform a data-carving task to recover graphic files from a suspect's drive. For this task to be done, certain processes must be followed. What are the steps Ursula needs to take in the beginning phase of data carving these graphic files?

These are the first three steps when data carving: Ursula must locate and export all sectors of the fragmented file. Then Ursula determines the starting and ending cluster numbers for each fragmented group of sectors, and finally, since she is using HxD, she converts the starting and ending cluster addresses to the offset byte positions.

The field of e-discovery is specialized, and the software related to it is referred to as a horizontal market, meaning that only a certain type of clientele uses the software.

The field of e-discovery is specialized, and the software is related to what is referred to as a vertical market, meaning that only a certain type of clientele uses the software.

Julaine is a Forensic Linguistics specialist working for the Orange County Sheriff's Department. A sheriff deputy was called to a home for a welfare check and found a person hanging from the rafters in the home. Originally, to Juliane, it looked like suicide based on how the scene looked and how the suicide letter was written. Upon further examination of the suicide note, letters the victim had written, and emails on their computer, Julaine determined that the suicide note was not written by the victim. Eventually, the sheriff also found evidence that pointed to someone else. The manner of death was changed from suicide to homicide. Why would the letter (among other things) lead the investigator toward changing the manner of death from suicide to homicide?

Julaine looked at the tone and phrasing of the suicide note versus the tone and phrasing of letters and emails on the victim's computer, and as a result, was able to determine that the suicide note was written by someone other than the victim.

Ethics are the rules you internalize and use to measure your performance.

Ethics are the rules you internalize and use to measure your performance. The standards that others apply to you or that you're compelled to adhere to by external forces, such as licensing bodies, can be called ethics, but they are more accurately described as rules of conduct.

Edsel is a forensics expert, and in this role, he helps the judge or jury understand a fact or an issue. According to a standard established in a lawsuit, the expert has the "ethical responsibility to present a complete and unbiased picture of the research relevant to the case at hand." What lawsuit established this standard?

Daubert v. Merrell Dow Pharmaceuticals, Inc. established that it is the role of the expert to provide reliable and valid testimony. The expert has the "ethical responsibility to present a complete and unbiased picture of the research relevant to the case at hand."

Hildi is a well-known and successful expert witness on computer forensics and fraud. She receives a call from an attorney asking her what her opinion is regarding a case they are working on involving a client who's been hiding money. Hildi asks the attorney to send her significant material on the case for her to make an evaluation. They say, "That's ok," and hang up. What was probably happening in this scenario?

In this scenario, the attorney was probably opinion shopping. They wanted to find out if Hildi would have a favorable opinion about their case before hiring Hildi.

Nicole created some new tools for her exclusive use because she did not like any of the existing tools on the market. She decided to "borrow" some code from one of the commercial tools she liked because the tool worked well. The opposing counsel in the case has asked to see the source code for Nicole's tools. What will be the likely outcome of this scenario?

Nicole was "borrowing" code from another product and incorporated it into her own. She did not acknowledge or pay royalties, so that could be a violation of copyright law and is considered theft. In addition, this situation could result in major embarrassment for Nicole, could have serious criminal and civil liability implications for her, and could adversely impact the attorney who retained her as well as the case she "borrowed" the code for.

Sylas is investigating a Fortune 500 company with offices around the world. He is attempting to recover email from some employees suspected of embezzling from the company. The company uses a cloud service provider for their email services. What is the main issue Sylas could encounter when working with a company with international offices?

When working with other countries, Sylas will need to consider stricter privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, so Sylas must follow all rules and regulations regarding information retrieval in those countries. He cannot choose to follow only laws and regulations that are adjudicated in the United States.

Gianna is trying to extract data from a mobile device that has MDM enabled. She is using Cellebrite to extract data from the mobile device but is unable to do so. Why is Gianna having problems extracting the data?

For examiners, extracting data from a mobile device that has MDM enabled is typically difficult or impossible. MDM is designed to resist attempts by mobile forensics extraction tools, such as Cellebrite.

Tia's supervisor said she needs to perform a remote acquisition on an employee. The issue is that the employee is in London, United Kingdom, however, the office in the UK is a branch office of the company Tia works for, which is in the United States. What should Tia do first before performing the remote acquisition?

First, Tia must check that the employee has signed the policies and procedures manual that stipulates they give up their right to privacy. If they did not sign the manual, then the employee can argue that they have a right to privacy. Then Tia must check the laws regarding Data Protection in the UK, to be sure there are no legal ramifications because they have strict data privacy laws. Finally, it is best that Tia engages forensic experts with expertise in cross-border acquisitions to carry out the acquisition process while adhering to legal and ethical standards. When dealing with an international situation, it is always best for someone with experience to handle that type of operation to keep your company from being fined for mishandling data from another country.

Ari is using a packet analyzer on his office network. He notices the majority of traffic moving across the network is Transmission Control Protocol (TCP) and Internet Protocol (IP). Why is that?

The most common protocols associated with network traffic are Transmission Control Protocol (TCP) and Internet Protocol (IP).

Nia is performing e-discovery for a client on a remote computer. What acquisition tool is Nia using?

Nia is using F-Response Collect because it is designed to perform a wide range of remote data collection tasks including e-discovery.

Talia is investigating a Windows OS host computer and is looking for a virtual machine. Where would Talia usually look to find the virtual machine?

Talia would usually find a virtual machine in the User or Documents folder.

Faruq is starting a new company as an expert witness. One of the first things he needs to do before taking on clients is to develop an intake form. What are some of the general sections needed to be on the form? Choose all that apply.

Some of the information that needs to be noted on an intake form include case information, examination instructions, and digital evidence information.

Kathy requires a cloud-based tool that can be used by her legal team while on the move for all tasks leading up to the presentation. She wants data analytics to speed up the process of searching and retrieving data, and she doesn't want to buy new software every year to keep up with changing laws. What's the best e-discovery solution for her?

Nextpoint is a cloud-based software used by legal teams and lawyers for all items leading up to the presentation. The software uses data analytics to help expedite data search and retrieval. Its pricing model is per user. They do not have an on-premises version.

Mahoney works in the information governance department at Senco. He closely collaborates with the IT department, as they are responsible for data storage infrastructure and associated data. When it comes to managing and handling data, certain crucial areas demand attention. What are those areas? Choose all that apply.

The IT team is responsible for monitoring and managing the data storage infrastructure to ensure effective data management. This is closely linked to security and privacy considerations. Another crucial aspect is risk management, which is influenced by the industry in which the company operates. For instance, food services are a different risk than banking services.

Salting passwords is the process of removing bits of a password and then hashing it. This alters the hash value, which makes cracking passwords more difficult.

When salting passwords, extra (random) bits have been added to the password and then hashed. This alters the hash value, which makes cracking the password more difficult.

Harlow has been told by their supervisor to check the company's network logs, because, lately, there has been some suspicious activity on the network. What are some of the devices that record activities and events which could be considered network logs? Choose all that apply.

Network servers and firewalls are two of the devices that record traffic, which travels in and out of the network.

Kelsie is using Google Docs to write a term paper. What cloud service is she using?

Programs, such as Google Docs, are considered software as a service (SaaS), since they are hosted and used in a cloud environment rather than the desktop.

Debbie is using F-Response Collect while performing a remote acquisition. She needs to create digital forensic images. Since she doesn't know what team will be reading these images, how will she create these images so they can be read by most forensics programs?

Debbie must use the RAW format. RAW is widely supported by a range of forensic tools and software, which makes it compatible with many forensic analysis and examination applications.

Lucian is researching categories of the Internet of Anything. He wants to know what category includes sectors such as agriculture, energy, manufacturing, and supply chain logistics.

Industrial Internet of Things (IIoT): This category includes sectors such as agriculture, energy, manufacturing, and supply chain logistics.

In the realm of criminal cases, the discovery process, including e-discovery, is influenced by criminal case law that imposes distinct and sometimes more rigorous discovery requirements. Notably, there exists a specific doctrine mandating the prosecution to disclose all exculpatory evidence to the defense team, regardless of whether it has been explicitly requested. What is the name of this particular doctrine?

In criminal cases, the discovery process-including e-discovery-are also impacted by criminal case law that has different and often more stringent discovery requirements. For instance, the Brady doctrine, whose name comes from the case of Brady v. Maryland, requires the prosecution to produce all exculpatory evidence to the defense team even if it is not specifically requested. There are other doctrines that could cause a criminal case to be thrown out.

Palo is a forensics examiner testifying in a case. He is rendering an opinion based on his education, training, and experience. What type of witness is Palo being?

Palo is rendering an opinion based on his education, training, and experience; therefore, he is an expert witness.

Maryam is an FBI agent on a drug trafficking task force. She always includes computers and electronic communications devices in her search warrants whenever searching a suspect's home. Why is it important to include computers and other electronic communications devices in a search warrant for a suspect's home? Choose all that apply.

Maryam has a couple of reasons to include computers and electronic communications devices in search warrants. There may be evidence of a crime on the hard drive of the computer or in the files of the other communications devices, and because email is a major communication medium, any crime can involve email as well as text messages and social media communications.

Gabryle's company is searching for a cloud-based solution that provides complete control over the data to avoid any unauthorized alteration or deletion. The platform must have the capability to put an application-level hold to enable users to access Google Drive, One Drive, SharePoint, and similar resources. Also, it is crucial that the platform can redact confidential data such as PII, HIPAA, privileged, and attorney-client information to ensure the security of sensitive data. What's the best software solution to fit Gabryle's needs?

Exterro offers purely cloud-based e-discovery software that is useful in case of a litigation hold (or even the anticipation of a hold). It is important to ensure that the data is not altered or deleted. Exterro provides an application-level hold that allows the user to focus on specific resources like Google Drive, One Drive, and SharePoint. The software also manages enterprise-level holds, so there is no need for individuals to handle them. This even applies to handwritten notes and cell phones. Additionally, the software can redact parts of a document for confidentiality, PII, HIPAA, privileged, and attorney-client issues.

Sylas is investigating a CSP's customer for evidence of a crime. There are many places Sylas can look regardless of whether the client has the CSP's application installed. Where are some of those places Sylas should look for evidence? Choose all that apply.

Sylas can find evidence in the Windows Prefetch folder, web browser's cache file, and the user's account folder.

Nori is examining email to determine whether there is enough evidence to request a warrant. After comparing email logs with the messages, what are some of Nori's next steps to make that determination?

After comparing email logs with the messages, Nori's next steps are to verify the email account, date and time stamp, the IP address, and the message ID, which was not on this list. Once those items are verified, and it is determined that there is enough evidence, then Nori can request a warrant.

Reade is in the process of building a honeywall for a client. What is the purpose of a honeywall?

A honeywall is a computer set up to monitor what is happening to honeypots on a network and record what attackers are doing.

Raven is about to begin examining an Android phone and needs to be sure that all communication channels to the device have been shut off. What are some of the communications channels that Raven needs to manage? Choose all that apply.

Raven will need to turn on airplane mode, turn off Bluetooth, and turn off screen timeout.

Brynda is perusing the CSA agreement for a client and is examining customer restrictions and security measures components of the CSA. What must these components include? Choose all that apply.

CSA components must state who is authorized to access data and what the limitations are in conducting acquisitions for an investigation.

Selina is working on a difficult case. She is looking for an exploit, so she is rebuilding a session in Wireshark. Why is rebuilding the session important?

By Selina rebuilding the session, it is possible for her to detect suspicious or unexpected behavior, which may indicate a security breach.

Janos was using a Hex editor and discovered a JFIF file. What file format is JFIF, and what is the corresponding beginning hexadecimal value and offset?

Janos JFIF file is the JPEG format that has the Hex value FFE0 starting at offset 2.

Naomi has been asked to work with Luna Corporation to determine if an employee has started his own business using company resources during work hours. In the process of examining the employee's computer, Naomi discovers evidence that the employee is running an online business from his workstation. Where would Naomi be looking to find evidence? Choose all that apply.

Since the employee is under suspicion for starting his own online business on the side, Naomi is looking for unauthorized Internet use, such as temporary Internet files, Internet history, and email communication.

Seth is examining two phones that he received from a recent police raid. One phone is an Android version 4 (Ice Cream Sandwich), and the other is an iPhone with iOS 8. Both phones have passwords on them, the Android phone can still have data retrieved from it, but the iPhone cannot. Why is that? Choose all that apply.

The iPhone will be encrypted as soon as a password is entered on it the first time. The Android phone will not be encrypted with only a password. Other steps must be taken to encrypt an Android phone. Android started automatically encrypting phones when passwords were added with version 5 of the OS also known as Lollipop.

Ares is researching categories of the Internet of Anything. He wants to know which category of IoT includes applications and devices related to businesses in sectors such as office buildings, large residential buildings, healthcare, entertainment, hotels, and travel. Which category is it?

Commercial Internet of Things: This part of the IoT includes applications and devices related to businesses in sectors such as office buildings, large residential buildings, healthcare, entertainment, hotels, and travel.

Malcolm is at a critical stage of a live acquisition. As per order of volatility, he is acquiring RAM data first. What types of data can be discovered in RAM? Choose all that apply.

Anything not saved can potentially be found in RAM. But in this case, passwords and login names are the correct answers.

Levi types in ifconfig in the command line. What OS is Levi using, and what information will the command show?

When Levi types in ifconfig, he is working in Linux, and the command he is using will show all network adapters.

Edgar is researching the difference between lossless and lossy compression. If JPEG is lossy and GIF is lossless, how does JPEG and GIF differ in the way their data is represented?

The difference between GIF and JPEG is in how the data is represented after it is uncompressed. GIF is lossless so it produces an exact replica of the original data when uncompressed. JPEG is lossy so it typically produces an altered replica of the data.

Quentin was examining a Windows OS for trace evidence of videos on a drive he just acquired. There may still be evidence on the drive though the original files were deleted. It is not an image file, so what is Quentin looking for?

Quentin is looking for thumbs.db, which is a database file.

Sergio has just added a new forensics program to his suite of programs. Before he begins using the new program, he needs to verify the hash value database is up to date. How does Sergio ensure that his program's hash value database is up to date?

Sergio should go to the NIST National Software Library and import the latest updated file hash values. Whenever a new program is installed, it is best to always download the latest updates and not rely on what is already installed. The newest hash files may not be installed.

Billie is looking for a multipurpose tool that can be used as an intrusion prevention system (IPS) and an intrusion detection system (IDS). It should also be usable for network forensics. Which tool should Billie choose?

Snort (snort.org) is one of the more powerful network tools in the industry. In addition to being an intrusion prevention system (IPS) and an intrusion detection system (IDS), Snort can be used for network forensics.

Edris has a problem. His company has been attacked three times this year, and he needs to figure out how the attackers are getting in, without putting his network at risk. How should Edris accomplish this task?

First, Edris should build multiple honeypots to resemble the parts of his network that are getting attacked. Then, he should build a honeywall and monitor the honeypots so he can record the attackers actions.

Gerald is a professor at a local community college. He is taking excerpts from his favorite authors to use as study material for his English class. He's going to use these excerpts under the fair use guidelines for educational purposes. He takes them to his local copy shop and pays for 40 copies of the handout he created. Does this handout violate the fair use guidelines?

Because Gerald paid to have a commercial printer copy the handout, a copywrite violation has occurred, and therefore, the fair use guidelines have been violated.

The American Bar Association (ABA) is a licensing body for the state licensing boards of the United States.

The American Bar Association (ABA) is not a licensing body, but the ABA's Model Code of Professional Responsibility (Model Code) and its successor, the Model Rules of Professional Conduct (Model Rules), are the basis of state licensing bodies' codes. In the United States, attorneys are licensed by individual states.

Farley is a forensics examiner specializing in email forensics. He does not like it when an email administrator uses log rotation instead of logging. Why does Farley dislike log rotation?

Farley dislikes log rotation because it overwrites the log file after a certain size or timeframe. After the log is overwritten, the log cannot be recovered except if it has been backed up. If the log was not backed up or is corrupted, then that log is no longer available.

Nia is interning with a law firm that specializes in litigation. The attorney instructs her to research Rule 26(f) of the FRCP. What is rule 26(f) of the FRCP?

Rule 26(f) of the FRCP mandates that the parties "meet and confer" early in a litigation to agree on what constitutes relevant data, what formats should be used, and what metadata should be included.

Brigid is assisting an attorney in the presentation phase of EDRM. Presentations can take place at various times. When can they occur? Choose all that apply.

The final phase of the EDRM mode is the presentation phase. Presentation may occur at a deposition or hearing, during mediation, or at a trial with a judge and jury present.

The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 to broaden the range of computer crimes covered by federal law. This included unauthorized access to networks and computers, which became crucial as hackers became more active.

In 1986, the Computer Fraud and Abuse Act (CFAA) was passed to expand the scope of computer crimes covered by federal law to include those related to the unauthorized access of networks and computers, which became important as hackers became more active.

Barry is beginning an investigation into a cloud service provider (CSP). An issue with this service provider is that they have been commingling their data in with their other clients to hide profits from illegal activity. What is the term for many different unrelated businesses sharing the same applications and storage space, and what makes collecting evidence difficult in this situation?

It's called multitenancy. The problem is in trying to retrieve data from the other tenants (businesses) in the CSP, due to legal and jurisdictional specific factors governing the data that those businesses own.

Shani wants to run the newest version of Windows 11 and use Kali Linux on her computer. She has decided to use a hypervisor so she does not have to use a dual boot system. What type of hypervisor should Shani use?

Shani should use a type 2 hypervisor as it rests on top of the existing OS, in this case Windows, and she will be able to access Kali Linux whenever she wants.

Overall, an intranet email system is for public use, and the Internet system is for the private use of network users.

Overall, an intranet email system is for the private use of network users, and Internet email systems are for public use.

The Information Governance Reference Model (IGRM) addresses stakeholders and factors that impact information governance. These factors include users, security, privacy, legal, and risk.

The Information Governance Reference Model (IGRM), which feeds into the steps of the EDRM, is a framework and set of guidelines developed in 2012 to help companies manage their information resources. It addresses stakeholders and factors that impact information governance, including users, security, privacy, legal, and risk.

Agastay is a United States Marshal. His office wants to track the cell phone of a suspicious person to see who he meets, but he cannot do so unless he has a warrant due to the fourth amendment. Why is cell phone tracking subject to fourth amendment rights? Choose all that apply.

The fourth amendment protects not just physical spaces but also "effects." A person's movements and location can be considered an effect, and therefore protected under the fourth amendment. Tracking an individual's cell phone can be seen as a "search" in the legal sense. Gathering detailed location information from a cell phone is akin to conducting surveillance, and therefore is protected under the fourth amendment.

Jamisha is trying to unlock an Apple iPhone and is on her ninth attempt. Her supervisor asks Jamisha how many times she has tried, and when she tells them nine and is about to make her tenth attempt, they tell her to stop immediately. Why must Jamisha stop trying to input the password?

After the 10th failed attempt, the phone will initiate a factory reset and will wipe all non-OS data from the device.

Tegan lives in the state of Washington and is receiving unsolicited misleading emails from a company located in the state of Washington. The misleading information in the subject line reads "Check Unclaimed," and in the body of the message, there is an advertisement for a debt consolidation service. This is considered spam. Tegan is annoyed about receiving this type of email and wants to report it. How does the state of Washington handle spam complaints compared to other states?

The state of Washington has an anti-spam law whereby it is illegal to send unsolicited commercial email if certain conditions are met. The first condition requires that the sender and receiver are located in the state of Washington. The computer that sent the email message is located in the state of Washington, and so is Tegan. In addition, there is misleading information in the subject line. Therefore, the state of Washington can sue the company responsible for the spam if the company does not stop sending it.

Enzo is in the process of purchasing software for his firm. He is considering both e-discovery and digital forensics software, given the nature of his company's operations. He is particularly interested in a startup that is about to launch new software. The software has many features that Enzo can use, but he must keep a very important factor result in mind before making any purchase decision. What result does Enzo need to keep in mind?

The results of an investigation using e-discovery software must be able to be presented in court, which means the software must be able to verify chain of custody.

Iian is a forensic examiner investigating a case at VLOS Enterprises. The email administrator for the company is running a UNIX email server, and Iian discovered that all email is stored on the local email server. Since Iian needs to access those email messages, and they are on the server, how will Iian gain access to the suspect's email without the suspect's knowledge?

Because all email is saved on the server, the UNIX administrator can create an email group and add Iian to the same group as the suspect, which will give him access to the suspect's email without the suspect's knowledge.

Hailey is working on a case where the suspect is using a web-based email provider. She wants to get access to the suspect's email, but this suspect was only discovered three days ago, and the crime happened two months ago. What are Hailey's issues with this scenario? Choose all that apply.

First, because it is a public email provider, Hailey needs a warrant to get access to the provider, so it may take some time before she gets access to the suspect's emails. In this case, the suspect was found only three days ago, and the crime happened 60 days ago. The email provider may only keep email logs for 30 days before overwriting them. So, Hailey might lose out on the opportunity to seize key information from possible email sent by the suspect.

Larkyn and her team are deciding which defense system would be right for them based on price. What is the determining factor in deciding how much to spend for a defense system?

In any organization, a determination must be made as to the value of the data that's being protected and weigh that against the price of a new defense system.

Malcolm is currently pursuing a pre-law degree with a keen interest in the intersection of law and computer science. He is currently researching two related fields, namely e-discovery and Digital Forensics. While there is some overlap between these two fields, he wants to understand what sets them apart from each other. What are the key differences between e-discovery and digital forensics? Choose all that apply.

In e-discovery, the two parties involved in a litigation e-discovery process will ask the opposing party for data specifically related to the subject of the litigation. The investigators know that they are looking for information related to a contract dispute, intellectual property rights, product defect, or false financial information, for instance. In digital forensics, on the other hand, the investigator is typically looking for information related to a criminal matter, corporate espionage, or a civil suit. While the investigator may have an idea of what they are looking for, their job is more along the lines of solving a puzzle. E-discovery experts tend to view digital forensics as part of their process, while digital forensics experts often see the two fields as overlapping.

Jacob uses a smart thermostat to keep his home the temperature he likes. The thermostat has learned when he is home and when he is away and adjusts the temperature accordingly. It is connected to his wireless network so he can also contact the thermostat when he is away from home and make changes to the temperature so that his home can be cooler or warmer by the time he gets home. Because of this, Jacob needs to be very careful that his wireless network is always secure. He must use long complex passwords and change the password every 90 days. Why is it important that Jacob takes these precautions?

If a hacker were to break into Jacob's wireless network and access the thermostat, the hacker could take control of the thermostat and make it hotter or colder at will. This could damage the house or make the family extremely uncomfortable. Even more dangerous, the hacker could also figure out Jacob's home and away patterns so that they could know when Jacob and his family weren't home and break in without fear of interruption.

Jennifer is searching for JPEG files using the search string "FIF." Because it's part of the label name of the JFIF JPEG formation, she also gets several false hits (false positives.) How should Jennifer change her search string to reduce the number of false positives?

Jennifer should change the string, so it uses the whole JFIF label. This should decrease the number of false positives since it only included the JFIF JPEG format.

Sam is involved in an investigation of a virtual machine found on a suspect's computer. What are the basic steps involved in the beginning of a virtual machine investigation? Choose all that apply.

The basic steps involved at the beginning of a virtual machine investigation include acquiring a forensic image of the host computer, acquiring the network logs, and exporting the associated VM files.

fsutil allows users to interact with and manipulate aspects of the file system. It is a versatile tool for performing a wide range of file-system related tasks on Linux systems.

fsutil allows users to interact with and manipulate aspects of the file system. It is a versatile tool for performing a wide range of file-system related tasks on Windows systems.

Moses is examining a personal computer because an employee is suspected of committing fraud. As Moses searches the employee's cloud accounts, he finds child pornography. The employee says it is not theirs and they don't know where it came from. Upon further inspection, Moses finds that the employee is telling the truth. How did Moses determine this was true?

Moses determined that this happened by reviewing the employee's CSP's web-connected login records and compared them with date and time values for the suspected files. The times and date values did not match, so the data was not input from one of the employee's computers.

During an investigation at a suspect's home, Joel discovers a mobile device attached by USB to a laptop. When he sees this setup, he must disconnect the mobile device from the laptop immediately. Why is that important?

Disconnecting the devices immediately helps prevent synchronization that might occur automatically on a preset schedule and overwrite data on the device. In other words, the evidence that a crime may have occurred may be purposely erased when specific data is synchronized between the mobile device and the laptop.

Paul is deciding on a forensics program for a data-carving extraction. What are some of the programs Paul can choose from for this extraction? Choose all that apply.

Paul can choose from X-Ways Forensics and OSForensics for the data-carving extraction. HxD and Autopsy are used to copy the known data patterns from the files he recovered and then will restore this information to view the file.

Derek is investigating a case involving online threats toward a poll worker during the last election cycle. The poll worker was receiving increasingly disturbing emails from an individual. Eventually, Derek was able to catch the individual by searching the email messages he sent to the poll worker. How did Derek use the sent email to find the suspect?

Derek examined the headers and encoding at the beginning and ending of the suspect's emails to trace the route the emails took through servers. The IP address found in the email header allowed Derek to pinpoint the sender's location.

Lucas frequently uses his work email address to send personal emails to his doctors and lawyers. These emails often contain sensitive information such as his Social Security number and birth date. Despite being warned by his IT department, Lucas continues to disregard their advice regarding the risks of sending personal information from his work email address. Why is it considered bad email protocol to send personal information from a work email address?

While it may be a possible fireable offense if there is an acceptable use policy in place, for this chapter, any information placed in a company email may be seized during the course of an investigation into his company, and his personally identifiable information (PII) may no longer be private.

Nori is investigating a suspect's machine when she discovers a type 2 hypervisor. Why would Nori find a type 2 hypervisor on a suspect's computer?

Nori found a type 2 hypervisor on the suspect's computer because, most likely, the suspect was familiar with type 2 hypervisors and wanted to hide their activities within the virtual machine that the hypervisor controlled.

Fabian is working toward becoming an expert witness. He has years of experience in the field, has published papers in journals, and he is well respected. He now wants to join an organization with a code of ethics so that he can show to potential clients that he follows a code of published ethics. However, he is not too sure about reporting on other members in his field if they violate the organization's code of conduct because everyone makes mistakes. Which organization does Fabian want to avoid?

Members of the International Society of Forensic Computer Examiners (ISFCE) are expected to maintain their integrity by reporting other members who violate their code of conduct.

Naim was asked by an attorney if the documents she recovered during e-discovery were legally defensible. What does legally defensible mean?

The information collected must be readily accessible as well as legally defensible, meaning that it will stand up to a challenge in court.

Georgi has been asked to join a peer review committee. He will be working on single-, double-, and triple-blind peer reviews with his committee. What is the purpose of these types of reviews?

The purpose of the single-, double-, and triple-blind peer reviews is to eliminate or minimize bias of the reviewer.

Jai works for the military. His commander used to let Jai and the rest of his platoon wear consumer wearables, such as Fitbit, when they were exercising so they could keep track of their fitness training. Not too long ago, the military banned those devices from military bases. Why would Fitbits and other fitness tracking devices be banned from military sites?

True story: The military banned fitness trackers because Geolocation trackers inside of the watches revealed the locations and pathways of military installations around the globe. A private company released a "heat map" that showed the density of trackers in places around the world. The dense traces of tracks going around in the same large spaces turned out to be military sites, including top secret locations.

Duane's law firm specializes in digital forensics and e-discovery. They are interested in finding an e-discovery platform that has components related to government, incident response, and data governance. Due to the firm's small IT department, they prefer to use a third-party to manage the platform rather than using the software in-house. What's the best software for Duane's needs?

iConect offers an e-discovery platform that includes components related to government, incident response, and data governance, all of which can have an impact on digital forensics and e-discovery. The software can be used in-house or accessed through Microsoft Azure or an approved third party.

Katana teaches four courses in one classroom, and each computer has four students working on it at different times of the week. The students are completing computer forensics labs that require them to perform many of the functions that would be required in the field. They are using Kali Linux, Metasploitable framework, Windows 10, and Server 2016. Since this is a classroom, what would be the least expensive way to set up the class, yet allow each student to work on their projects and save their work for the next time that they are in class without affecting the other three students who will be using the same computer?

This is a true story. Katana set up a type 2 hypervisor with multiple virtual machine managers (Virtual Box) and created a closed virtual network using Kali, Metasploitable framework, Windows 10, and Server 2016. The networks were then password protected for each class. This allowed students to work on their own networks at their own pace without fear of losing their work. This also ensured that no student could interfere or check the status of another student from another class. The reason the class was set up this way was due to cost. Using existing computers as type 2 hypervisors was less expensive than getting type 1s for the whole classroom. The Linux programs were free, and the school had licenses for Windows and Server 2016.

Elijah just lost his company phone and reports the loss to the IT Department. Since the phone has the MDM management tool installed, what can the IT Department do to protect their confidential information and intellectual property (IP)?

The MDM tool can be used to wipe the phone to ensure that its data is unrecoverable.

Xavier is examining photos from a suspect's drive that were downloaded from a smartphone. The issue is that when the suspect downloaded the photos, he changed the format from jpeg to tif. As a forensics examiner, why should Xavier consider this to be a problem for his investigation?

The metadata may not be reliable due to the format change from the original file type when transferred. Therefore, image files found on a suspect computer's drive should be treated subjectively.

Kiara is a forensic examiner specializing in fraud cases. She is examining email headers to determine if emails addressed to the respondent were fraudulent. She notices that two messages had the same protocol value. So, she knew the message sent by the petitioner was fraudulent. What protocol value did Kiara see in the message header that she recognized as fraudulent?

The clue that the other email was a fake was in the Enhanced/Extended Simple Mail Transfer Protocol (E/SMTP) number located in the message's header. This number is unique to each message an email server transmits. The petitioner claimed that the email instructing him to purchase options was legitimate. However, the petitioner's email message header had the same E/SMTP value as the message header from the respondent. Upon deeper examination, it was revealed that the petitioner's email was fraudulent.

Marquise has been performing live acquisitions on Windows computers for years. He has been asked to complete a live acquisition on a Linux computer. He is worried that his skillset will not be up to the task. What do live acquisitions for Windows and Linux computers have in common?

Both Windows and Linux machines have hardware with the same order of volatility -RAM, logs, network traffic, and then the actual drives.

Lorelie is extracting data from a mobile device and needs to store it. She needs a good USB drive, one that can perform quickly and accurately. What type of USB drive is best for holding extracted data? Choose all that apply.

USB devices must be "high performance" and "high endurance," especially when working in the field. Storage devices must use at least MLC or TLC memory chips from a reputable memory manufacturer. As of now, QLC chips are not as durable as the MLC or TLC chips and tend to have lower endurance memory cells, which may result in potential concerns about the integrity of the data extracted.

Jayden finds several saved web pages on a suspect's computer. They look like legitimate web pages, but this suspect is a known child pornographer, so the police are on the lookout for images and messages that might be in the suspect's possession. How does Jayden go about searching for this evidence?

Jayden should search the HTML source code for hidden text. The suspect can hide text messages within the source code that no one can see unless the source code is revealed.

Maalik is a forensic examiner investigating email crimes. He uses data recovery tools all the time to recover email to extract data from computers. He is excellent at his job but does not have much experience with how email systems work. He wants to be an expert witness, but his boss told him he can't. Why is Maalik unlikely to be a good expert witness?

To be a successful expert witness, Maalik must understand and explain the email systems' functions to laypeople. However, he does not have that experience, so he does not have the ability to explain email systems simply.

Leo was chosen to create a forensics preparedness plan to assist an incident response team in case of a breach or attack. What information about the data should be included in this plan? Choose all that apply.

Leo's forensics preparedness plan must ensure that the incident response team knows where data is stored, what data is stored, and the legal aspects of such data.

Ivan is trying to access Google messages between two suspects, but they are encrypted. He can access other messages from one suspect to different people but not the second suspect. Why can't Ivan access messages between the two suspects?

Google has introduced end-to-end encryption using Rich Communication Service (RCS) in their Messages app. Presently, the RCS encryption only works between two devices when this feature is activated on both devices.

Alexi is new to the field of computer forensics. She has heard about this file called $UsnJrnl:$J file. A colleague of hers says it is used for digital forensics investigations. Alexi is puzzled. She turns to you and asks, what is this file used for? What is your answer?

The $UsnJrnl:$J file can provide a history of file system activity, helping investigators track file changes and potentially identify suspicious activities.

Braxton is a network administrator and strong believer in using defense in depth for protecting his company's network. What makes defense an important tool for network administrators?

If one mode of protection fails, such as a firewall, another mode, such as an intrusion prevention system (IPS), may catch the attack. In other words, there are multiple types of defenses available built into the network to thwart an attack. This also includes people.

Ethan is an expert witness in the technical aspects of data recovery. He has made it known that he prefers one type of data recovery method over others and prefers recovering data only by that method. Why does this make Ethan a bad expert witness in a trial setting?

Because Ethan is biased toward one type of data recovery method, he is not using best practices that includes using multiple recovery methods to ensure that no data is missed.

Khalil has Autopsy, FTK Imager, and OS Forensics tools available to her but she can't use them to read the VM files that she needs to investigate. Why is that?

Autopsy, FTK Imager, and OS Forensics tools can only read .VMDK and .VHD VM image files.

Aloise is a penetration tester (pen tester). While attempting to break into a client's network, she finds some undiscovered vulnerabilities. These vulnerabilities can lead to attacks. What are these vulnerabilities called?

A zero-day attack is launched against a vendor's software before the vendor knows that a vulnerability is present in their software to be targeted.

Tyson is examining network logs. He discovers that a pattern has emerged regarding a single IP address assigned to one employee. It appears that this particular employee spends time on the Internet often. What is Tyson's next step?

Tyson should investigate the IP address and see where it leads. It could lead to a shopping website, which could mean that the employee in question could be shopping during work time. If this is the case, the matter should be turned over to HR for further handling and possible investigation.

Nakos is a new employee of the Bloom company. On his first day at the office, he wants to create an email account but is not allowed to do so. He has been told that this must be handled by the IT Department. Why can't Nakos create his own email account? Choose all that apply.

The IT Department has strict naming conventions that are determined by the email administrator, and in this role, must add new users to the company user management program (such as Active Directory) in order to control user access for security reasons and adherence to acceptable use policies.

The digital chain of custody (DCoC) is the route that digital evidence takes from the time the investigator obtains it until the case is closed or goes to court.

The digital chain of custody (DCoC) is the route that digital evidence takes from the time the investigator obtains it until the case is closed or goes to court.

Matteo needs a solution for his mobile forensics projects that does not rely on being computer installed and is instead web-based. His best option is software-as-a-service (SaaS). This way, data can be processed automatically within a few minutes, instead of being manually processed by investigators. Which program should he use?

Hawk Analytics' CellHawk is a web-based software-as-a-service (SaaS) platform. Data can be processed automatically within a few minutes by CellHawk (assuming CellHawk supports the cellular carrier), instead of being manually processed by investigators, which could take several days or weeks.

Maya is working with an attorney on an intellectual property theft case. She has recovered a lot of information, and now the attorney is asking for more due to some additional evidence that has been discovered. The investigation has now moved beyond the original description of the investigation because of unexpected evidence. Maya uses a term for this situation; what is it?

When the investigation expands beyond the original description because of unexpected evidence, the term for this situation is scope creep.

Kenna wants to use graphical tools for viewing network traffic. She believes that they are quicker than using command-line tools. Which of the following tools are graphical user interface (GUI) tools? Choose all that apply.

Etherape and Netdude are both graphical user interface (GUI) tools.

Kinsley is feeling overwhelmed by the numerous legal acronyms. She wants to know what EDRM and FIRAC stand for, as they both relate to the legal process. However, she is not sure which specific part of the legal process each one refers to. What do EDRM and FIRAC mean?

The FIRAC (facts, issues, rules and references, analysis, and conclusions) method is an approach to legal analysis. The FIRAC method can be a useful tool for evaluating cases and determining their relevance to the specific issues you are facing as a digital forensics investigator. The Electronic Discovery Reference Model (EDRM) is a conceptual framework created by Tom Gelbmann and George Socha in 2005 to address how to process ESI in a legal case or an investigation. It was created specifically for e-discovery, and there is a large international group that maintains the model and has various working groups. The EDRM was developed to ensure ESI makes its way to court in both civil and criminal cases.

Ximena has been handed a phone that was discovered during a search of a suspect's home. Upon examining the phone, she finds that much of the data is stored in the cloud and web-based services. She tells the investigator that she cannot search the phone further. What is the issue facing Ximena in searching the suspect's phone?

In order for Ximena to examine the cloud and web-based services on a suspect's mobile device, a search warrant or subpoena is required.