Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint

Cram Quiz

Cram Quiz Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can. 1. Which of the following is not a basic concept of computer forensic analysis? ❍   A. Identify data of potential evidentiary value ❍   B. Determine how best to preserve evidence ❍   C. Determine the guilt of a suspect based on findings ❍   D. Ensure that collected data is acceptable as evidence 2. Why is it important to log a system’s time offset against a verified time standard during an investigation? ❍   A. To preserve the chain of custody ❍   B. To ensure the evidence is complete ❍   C. To protect the evidence against modification ❍   D. To locate data supporting the lawyer’s case 3. In order to preserve data against modification through the forensic review, which of the following forms of data storage should be examined first? ❍   A. Temporary file storage ❍   B. Main memory ❍   C. Secondary memory ❍   D. Process tables 4. Which of the following steps should be performed first in a forensic investigation? ❍   A. Locate data ❍   B. Establish an order of volatility ❍   C. Collect data ❍   D. Review data Cram Quiz Answers 1. C. The forensic analysis process might identify information or the lack thereof of interest, but guilt and innocence are determined by the legal system and not part of the forensic review process. Answers A, B, and D are valid because data acquisition, protection, and analysis under the Rules of Evidence are all components of a forensic review. 2. B. Completeness of evidence includes not only the data of interest, but also any related data that might affect conclusions drawn from the investigation. Synchronization of logs, file creation date/time, and logons across multiple systems might require applying calculations to event log timing if the offset varies between systems. Answers A and C are incorrect because the time offset is not involved in maintaining the chain of custody or in protecting the data against modification. Answer D is incorrect because the specific file creation times and other similar details might help to identify timing of actions but will not determine whether logged details support a particular finding. 3. D. The Routing and Process tables are more volatile than the other forms of data storage and might be automatically overwritten during normal operations. Answer A is incorrect because temporary file storage involves file systems caches, whereas answer C is incorrect because secondary memory involves non-volatile media such as a hard-drive. Answer B is incorrect because system RAM holds data uncorrupted until changed by an operation or power loss. 4. A. The first step, after creating initial documentation for the review, is to locate and identify data of interest. Answers B, C, and D are incorrect as the steps presented are in the proper order for a forensic review, although some steps such as the elimination of external mechanisms of modification and creating forensic duplicates are not present.

  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free 10-Day Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint