1. Home
  2. Flashcards
  3. Preview

Exam 2 Computer Forensics

  1. Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)

    a. Any graphics files
    b. Files associated with an application
    c. System files the OS uses
    d. Any files pertaining to the company
    • Files associated with an application
    • and System files the OS uses
  2. For which of the following reasons should you wipe a target drive?




    D) Both a and b
  3. The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)

    a. Filter known program files from view.
    b. Calculate hash values of image files.
    c. Compare hash values of known files with evidence files.
    d. Filter out evidence that doesn’t relate to your investigation.
    • Filter known program files from view.
    • and
    • Compare hash values of known files with evidence files.
  4. Password recovery is included in all forensics tools. True or False?
    False
  5. After you shift a file’s bits, the hash value remains the same. True or False?
    False
  6. Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.)

    a. Expert Witness
    b. SMART
    c. AFF
    d. dd
    Expert Witness and SMART and AFF
  7. ______ happens when an investigation goes beyond the bounds of its original description.
    Scope creep
  8. Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?




    B) Internal corporate investigation because corporate investigators typically have ready access to company records
  9. You’re using Disk Management to view primary and extended partitions on a suspect’s drive. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?




    B) There’s a hidden partition.
  10. Commercial encryption programs often rely on ________ technology to recover files if a password or passphrase is lost.
    Key escrow
  11. Steganography is used for which of the following purposes?




    A) Hiding data
  12. The National Software Reference Library provides what type of resource for digital forensics examiners?




    D) A list of MD5 and SHA1 hash values for all known OSs and applications
  13. In steganalysis, cover-media is which of the following?




    B) The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
  14. Rainbow tables serve what purpose for digital forensics examinations?
    Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
  15. The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
    True
  16. If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
    Salting can make password recovery extremely difficult and time consuming.
  17. Block-wise sector analysis has which of the following benefits for forensics examiners?
    Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect’s drive
  18. Criminal investigations are limited to finding data defined in the _____, and civil investigations are limited by court orders for discovery.
    search warrant
  19. The result of an investigation expanding beyond its original description because the discovery of unexpected evidence increases the amount of work required is known as _____.
    scope creep
  20. Autopsy can handle many formats, including raw, Expert Witness, and virtual machine image files (_____ and .vhd)
    .vdi
  21. Autopsy has an indexed version of the NIST National Software Reference Library (NSRL) of _____ hashes, and you can import NSRL reference hashes into Autopsy.
    MD5
  22. Getting hash values with a full-featured _____ can be faster and easier than with a digital forensics tool.
    hexadecimal editor
  23. A process that builds a data set of hashes of sectors from the original file and then compares them with sectors on the suspect’s drive is known as _____.
    block-wise hashing
  24. _____ changes data from readable code to data that looks like binary executable code.
    Bit-shifting
  25. The converted cover-media file that stores a hidden message is known as the _____.
    stego-media
  26. A new technique used to protect passwords, which adds extra bits to a password and then hashes it, is known as _____.
    salting passwords
  27. Virtual Machine Extensions (VMX) are part of which of the following?




    B) Intel Virtualized Technology
  28. You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply.)

    a. Desktop
    b. Smartphone
    c. Tablet
    d. Network server
    Desktop and Smartphone and Tablet
  29. Which of the following file extensions are associated with VMware virtual machines?




    C) .vmx, .log, and .nvram
  30. In VirtualBox, a(n) _____ file contains settings for virtual hard drives.




    A) .vbox
  31. The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of _____ and _____.
    RAM and strorage
  32. A forensic image of a VM includes all snapshots. True or False?
    False
  33. Which Registry key contains associations for file extensions?




    D) HKEY_CLASSES_ROOT
  34. Which of the following is a clue that a virtual machine has been installed on a host system?




    D) Virtual network adapter
  35. To find network adapters, you use ____ the command in Windows and the _____ command in Linux.
    ipconfig, ifconfig
  36. What are the three modes of protection in the DiD strategy?
    People, technology, operations
  37. A layered network defense strategy puts the most valuable data where?




    C) In the innermost layer
  38. Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?
    True
  39. Packet analyzers examine what layers of the OSI model?




    D) Layers 2 and 3
  40. When do zero day attacks occur? (Choose all that apply.)

    a. On the day the application or OS is released
    b. Before a patch is available
    c. Before the vendor is aware of the vulnerability
    d. On the day a patch is created
    • Before a patch is available
    • and Before the vendor is aware of the vulnerability
  41. A type _____ hypervisor rests on top of an existing OS, such as Windows, Linux, or Mac OS.
    2
  42. True or False: Instruction sets called Virtual Machine Extensions (VMX) are necessary to use virtualization; without these instruction sets, virtualization software doesn’t work.
    True
  43. By linking a VM’s _____ to log files, you might be able to determine what Web sites the VM accessed.
    IP address
  44. Live acquisitions of VMs are necessary because they include all _____.
    snapshots
  45. Which hypervisor type can be installed directly on hardware and is limited only by the amount of available RAM, storage, and throughput?
    Type 1
  46. The amount of time that a long a piece of information lasts on a system is known as _____.
    Order of volatility (OOV)
  47. ____ is the process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network.
    Network forensics
  48. True or False: Testing networks is not as important as testing servers.
    False
  49. ____ are devices and/or software placed on a network to monitor traffic.
    Packet analyzers
  50. A(n) ____ is a computer set up to look like any other machine on your network; its purpose is to lure attackers to your network, but the computer contains no information of real value.
    honeypot
  51. ____ are computers set up to monitor what’s happening to honeypots on your network and record what attackers are doing.
    Honeywalls
  52. E-mail headers contain which of the following information? (Choose all that apply.)

    a. The sender and receiver e-mail addresses
    b. An ESMTP number or reference number
    c. The e-mail servers the message traveled through to reach its destination
    d. The IP address of the receiving server
    e. All of the above
    • The sender and receiver e-mail addresses
    • and
    • An ESMTP number or reference number
    • and
    • The e-mail servers the message traveled through to reach its destination
  53. What’s the main piece of information you look for in an e-mail message you’re investigating?




    A) Originating e-mail domain or IP address
  54. In Microsoft Outlook, e-mails are typically stored in which of the following?




    D) .pst and .ost files
  55. When searching a victim’s computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail’s originator? (Choose all that apply.)

    a. E-mail header
    b. Username and password
    c. Firewall log
    d. All of the above
    E-mail header and Firewall log
  56. Phishing does which of the following?




    C) Lures users with false promises
  57. Which of the following is a current formatting standard for e-mail?




    A) MIME
  58. After examining e-mail headers to find an e-mail’s originating address, investigators use forward lookups to track an e-mail to a suspect. True or False?
    True
  59. When you access your e-mail, what type of computer architecture are you using?




    C) Client/server
  60. To trace an IP address in an e-mail header, what type of lookup service can you use? (Choose all that apply.)

    a. Intelius Inc.’s AnyWho online directory
    b. Verizon’s http://superpages.com
    c. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net
    d. Any Web search engine
    • A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net
    • and Any Web search engine
  61. Router logs can be used to verify what types of e-mail data?




    C) Tracking flows through e-mail server ports
  62. Logging options on e-mail servers can be which of the following? (Choose all that apply.)

    a. Disabled by users
    b. Set up in a circular logging configuration
    c. Configured to a specified size before being overwritten
    d. Typically set to periodic logging mode
    • Set up in a circular logging configuration
    • and
    • Configured to a specified size before being overwritten
  63. On a UNIX-like system, which file specifies where to save different types of e-mail log files?




    D) syslog.conf
  64. What information is not in an e-mail header? (Choose all that apply.)

    a. Blind copy (bcc) addresses
    b. Internet addresses
    c. Domain name
    d. Contents of the message
    e. Type of e-mail server used to send the e-mail
    • Blind copy (bcc) addresses
    • and
    • Internet addresses
  65. Which of the following types of files can provide useful information when you’re examining an e-mail server?




    A) .log files
  66. E-mail accessed with a Web browser leaves files in temporary folders. True or False?
    True
  67. When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?




    C) Restore the e-mail server from a backup.
  68. You can view e-mail headers in Notepad with all popular e-mail clients. True or False?
    False
  69. To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server’s internal operations. True or False?
    True
  70. Sendmail uses which file for instructions on processing an e-mail message?




    C) sendmail.cf
  71. A forensic linguist can determine an author’s gender by analyzing chat logs and social media communications. True or False?
    False
  72. A(n) ____ architecture comprises one central server and several connected client computers.
    client/server
  73. The ____ of an e-mail message contains unique identifying numbers, such as the IP address of the server that sent the message.
    header
  74. True or False: E-mail crimes and violations depend on the city, state, and sometimes country in which the e-mail originated.
    True
  75. In Outlook, you can save sent, draft, deleted, and received e-mails in a(n) _____ file, or you can save offline files in a(n) _____ file.
    .pst /.ost
  76. True or False: Network administrators maintain logs of the inbound and outbound traffic that routers handle.
    True
  77. ____ logging saves valuable server space, but you can’t recovery a log file after it’s overwritten.
    Circular
  78. Typically, a UNIX system has a variety of e-mail servers available, so the _____ file specifies where to save different types of e-mail log files.
    syslog.conf
  79. Some e-mail systems store messages using flat plaintext files, known as a(n) ____ format.
    mbox
  80. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____ formatting.
    Multipurpose Internet Mail Extensions (MIME)
  81. _____ can contain evidence of cyberbullying and witness tampering.
    Social media or Online social networks (OSNs)
  82. List four places where mobile device information might be stored.
    internal memory, SIM card, external/removable memory cards, the network provider
  83. Typically, you need a search warrant to retrieve information from a service provider. True or False?
    True
  84. The term TDMA refers to which of the following? (Choose all that apply.)

    a. A technique of dividing a radio frequency so that multiple users share the same channel
    b. A proprietary protocol developed by Motorola
    c. A specific cellular network standard
    d. A technique of spreading the signal across many channels
    • A technique of dividing a radio frequency so that multiple users share the same channel
    • and
    • A specific cellular network standard
  85. What’s the most commonly used cellular network worldwide?
    GSM
  86. Which of the following relies on a central database that tracks account data, location data, and subscriber information?




    B) MSC
  87. GSM divides a mobile station into ______ and ______.
    SIM card and ME (mobile equipment)
  88. SD cards have a capacity up to which of the following?




    C) 64 GB
  89. Describe two ways you can isolate a mobile device from incoming signals.
    Answers can include placing the device in airplane mode, placing it in paint cans, using Faraday bags, and turning the device off.
  90. Which of the following categories of information is stored on a SIM card? (Choose all that apply.)

    a. Volatile memory
    b. Call data
    c. Service-related data
    d. None of the above
    • Call data
    • and
    • Service-related data
  91. Most SIM cards allow ______ access attempts before locking you out.
    three
  92. SIM card readers can alter evidence by showing that a message has been read when you view it. True or False?
    True
  93. The uRLLC 5G category focuses on communications in smart cities. True or False?
    False
  94. When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. True or False?
    False
  95. Remote wiping of a mobile device can result in which of the following? (Choose all that apply.)

    a. Removing account information
    b. Enabling a GPS beacon to track the thief
    c. Returning the phone to the original factory settings
    d. Deleting contacts
    • Removing account information
    • and
    • Returning the phone to the original factory settings
    • and
    • Deleting contacts
  96. In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices?




    A) Riley v. California
  97. The Internet of Things includes ______ as well as wired, wireless, and mobile devices.
    radio frequency identification (RFID) sensors
  98. Which of the following is a mobile forensics method listed in NIST guidelines? (Choose all that apply.)

    a. Logical extraction
    b. Bilateral read
    c. Physical extraction
    d. Hex dumping
    • Logical extraction
    • and Physical extraction
    • and Hex dumping
  99. According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? (Choose all that apply.)

    a. Isolate the device from the network.
    b. Disable the screen lock.
    c. Remove the passcode.
    d. Attempt to do a physical acquisition.
    • Isolate the device from the network.
    • and Disable the screen lock.
    • and Remove the passcode.
  100. Which organization is setting standards for 5G devices?
    International Mobile Telecommunications working group
  101. Global System for Mobile Communications (GSM) uses the ____ technique, so multiple phones take turns sharing a channel.
    Time Division Multiple Access (TDMA)
  102. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
    electronically erasable programmable read-only memory (EEPROM)
  103. _____ are usually found in GSM devices and consist of a microprocessor and internal memory.
    SIM cards
  104. The file system for a SIM card is a ______ structure.
    hierarchical
  105. True or False: All mobile devices have volatile memory.
    True
  106. Because of ____ laws, checking providers’ servers requires a search warrant or subpoena.
    wiretap
  107. The _____ mobile forensics method requires physically removing the flash memory chip and gathering information at the binary level.
    Chip-off
  108. A new field is _____ forensics, which addresses the many parts that have sensors in cars.
    vehicle system
  109. Amazon was an early provider of Webbased services that eventually developed into the cloud concept. True or False?
    True
  110. What are the three levels of cloud services defined by NIST?




    D) SaaS, PaaS, and IaaS
  111. What capabilities should a forensics tool have to acquire data from a cloud? (Choose all that apply.)

    a. Identify and acquire data from the cloud.
    b. Expand and contract data storage capabilities as needed for service changes.
    c. Circumvent firewalls to access cloud data.
    d. Examine virtual systems.
    • Identify and acquire data from the cloud.
    • and Expand and contract data storage capabilities as needed for service changes.
    • and Examine virtual systems.
  112. Commingled data isn’t a concern when acquiring cloud data. True or False?
    False
  113. A(n) __________ is a contract between a CSP and the customer that describes what services are being provided and at what level.
    CSA or cloud service agreement
  114. Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply.)

    a. Subpoenas with prior notice
    b. Temporary restraining orders
    c. Search warrants
    d. Court orders
    • Subpoenas with prior notice
    • and Search warrants
    • and Court orders
  115. In which cloud service level can customers rent hardware and install whatever OSs and applications they need?
    IaaS or infrastructure as a service
  116. What are the two states of encrypted data in a secure cloud?




    A) Data in motion and data at rest
  117. Evidence of cloud access found on a smartphone usually means which cloud service level was in use?




    D) SaaS
  118. Which of the following cloud deployment methods typically offers no security?




    B) Public cloud
  119. The multitenancy nature of cloud environments means conflicts in privacy laws can occur. True or False?
    True
  120. To see Google Drive synchronization files, you need a SQL viewer. True or False?
    True
  121. A CSP’s incident response team typically consists of which staff? List at least three positions.
    system administrators, network administrators, and legal advisors
  122. The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. True or False?
    True
  123. When should a temporary restraining order be requested for cloud environments?




    C) When a search warrant requires seizing a CSP’s hardware and software used by other parties not involved in the case
  124. Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location. True or False?
    True
  125. NIST document SP 500-322 defines more than 75 cloud services, including which of the following? (Choose all that apply.)

    a. Backup as a service
    b. Security as a service
    c. Drupal as a service
    d. Intelligence as a service
    • Backup as a service
    • and Security as a service
    • and Drupal as a service
  126. Public cloud services such as Dropbox and OneDrive use what encryption applications?
    Sophos Safeguard and Sophos Mobile Control
  127. Which of the three cloud service levels allows customers to rent hardware and install whatever OSs and applications they need?
    Infrastructure as a service (IaaS)
  128. A principle of software architecture in which a single installation of a program runs on a server accessed by multiple entities is known as _____.
    multitenancy
  129. A contract between a CSP and the customer that describes what services are being provided and at what level is known as a _____.
    cloud service agreement (CSA), or service level agreement, or master service agreement
  130. Destroying, altering, hiding, or failing to preserve evidence is known as _____.
    spoliation
  131. _____ in the cloud covers data owners, identity protection, users, access controls, and so forth.
    Role management
  132. With cloud systems running in a virtual environment, _____ can give you valuable information before, during, and after an incident.
    snapshots
  133. Encrypted data in the cloud is in two states. Which state is used to describe data that is being transmitted over a network?
    data in motion
  134. What type of file contains the DLL pathnames and metadata used by an application?
    a prefetch file
  135. A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly is known as _____.
    management plane
  136. Which of the following rules or laws requires an expert to prepare and submit a report?




    C) FRCP 26
  137. For what purpose have hypothetical questions traditionally been used in litigation?





    A) To frame the factual context of rendering an expert witness’s opinion
  138. If you were a lay witness at a previous trial, you shouldn’t list that case in your written report. True or False?
    True
  139. Which of the following is an example of a written report?




    B) An affidavit
  140. What is destroying a report before the final resolution of a case called?
    spoliation
  141. An expert witness can give an opinion in which of the following situations?




    D) All of the above
  142. Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts?




    D) PDF
  143. When writing a report, what’s the most important aspect of formatting?




    C) Consistency
  144. Automated tools help you collect and report evidence, but you’re responsible for doing which of the following?




    B) Explaining the significance of the evidence
  145. What can be included in report appendixes?
    Answers can include additional resource material not included in the text, raw data, figures not used in the body of the report, and anticipated exhibits.
  146. Which of the following statements about the legal-sequential numbering system in report writing is true?




    B) It doesn’t indicate the relative importance of information.
  147. What’s a major advantage of automated forensics tools in report writing?
    You can incorporate the log files and reports these tools generate into your written reports. Generally, these generated files are in a format that’s easy to incorporate into an electronic document.
  148. Besides presenting facts, an investigation report can communicate ____ opinion.
    expert
  149. Libraries where attorneys can deposit and withdraw examples of expert witnesses’ previous testimony are known as _____.
    deposition banks
  150. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
    examination plan
  151. A report using the ____ system divides material into sections and restarts numbering with each main section.
    decimal numbering
  152. If you use any hashing algorithms, be sure to give the _____.
    common name
  153. True or False: With many forensics software tools, log files of analysis activities and reports can be created that provide information about the findings for a case.
    True
  154. True or False: Reports and logs are typically in text, word processing, spreadsheet, or HTML format.
    True
  155. Which of the following describes fact testimony?




    A) Scientific or technical testimony describing information recovered during an examination
  156. Which of the following describes expert witness testimony? (Choose all that apply.)

    a. Testimony designed to assist the jury in determining matters beyond the ordinary person’s scope of knowledge
    b. Testimony that defines issues of the case for determination by the jury
    c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience
    d. Testimony designed to raise doubt about facts or witnesses’ credibility
    • Testimony designed to assist the jury in determining matters beyond the ordinary person’s scope of knowledge
    • and
    • Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience
  157. When using graphics while testifying, which of the following guidelines applies? (Choose all that apply.)

    a. Make sure the jury can see your graphics.
    b. Practice using charts for courtroom testimony.
    c. Your exhibits must be clear and easy to understand.
    d. Make sure you have plenty of extra graphics, in case you have to explain more complex or supporting issues.
    • Make sure the jury can see your graphics.
    • and Practice using charts for courtroom testimony.
    • and Your exhibits must be clear and easy to understand.
  158. What kind of information do fact witnesses provide during testimony? (Choose all that apply.)

    a. Their professional opinion on the significance of evidence
    b. Definitions of issues to be determined by the finder of fact
    c. Facts only
    d. Observations of the results of tests they performed
    • Facts only
    • and
    • Observations of the results of tests they performed
  159. What expressions are acceptable to use in testimony to respond to a question for which you have no answer? (Choose all that apply.)

    a. No comment.
    b. That’s beyond the scope of my expertise.
    c. I don’t want to answer that question.
    d. I wasn’t asked to investigate that.
    e. That’s beyond the scope of my investigation.
    • That’s beyond the scope of my expertise.
    • and I wasn’t asked to investigate that.
    • and That’s beyond the scope of my investigation.
  160. What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply.)

    a. If the deposition is still in session, refer back to the error and correct it.
    b. Decide whether the error is minor, and if so, ignore it.
    c. If the deposition is over, make the correction on the corrections page of the copy provided for your signature.
    d. Call the opposing attorney and inform him of your mistake or misstatement.
    e. Request an opportunity to make the correction at trial.
    • If the deposition is still in session, refer back to the error and correct it.
    • and
    • If the deposition is over, make the correction on the corrections page of the copy provided for your signature.
  161. List two types of depositions.
    testimony preservation and discovery
  162. At trial as a fact or expert witness, what must you always remember about your testimony?




    B) Your duty is to report your technical or scientific findings or render an honest opinion.
  163. Before testifying, you should do which of the following? (Choose all that apply.)

    a. Create an examination plan with your retaining attorney.
    b. Make sure you’ve been paid for your services and the estimated fee for the deposition or trial.
    c. Get a haircut.
    d. Type all the draft notes you took during your investigation.
    • Create an examination plan with your retaining attorney.
    • and
    • Make sure you’ve been paid for your services and the estimated fee for the deposition or trial.
  164. Voir dire is the process of qualifying a witness as an expert. True or False?
    True
  165. What is a motion in limine?




    B) A pretrial motion for the purpose of excluding certain evidence
  166. During your cross-examination, you should do which of the following? (Choose all that apply.)

    a. Maintain eye contact with the jury.
    b. Pay close attention to what your attorney is objecting to.
    c. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise.
    d. Pay close attention to opposing counsel’s questions.
    e. Answer opposing counsel’s questions as briefly as is practical.
    • Maintain eye contact with the jury.
    • and Pay close attention to what your attorney is objecting to.
    • and Pay close attention to opposing counsel’s questions.
    • and Answer opposing counsel’s questions as briefly as is practical.
  167. Your curriculum vitae is which of the following? (Choose all that apply.)

    a. A necessary tool to be an expert witness
    b. A generally required document to be made available before your testimony
    c. A detailed record of your experience, education, and training
    d. Focused on your skills as they apply to the current case
    • A necessary tool to be an expert witness.
    • and A generally required document to be made available before your testimony.
    • and A detailed record of your experience, education, and training
  168. The most reliable way to ensure that jurors recall testimony is to do which of the following?





    A) Present evidence combining oral testimony and graphics that support the testimony.
  169. If you’re giving an answer that you think your attorney should follow up on, what should you do?




    A) Use an agreed-on expression to alert the attorney to follow up on the question.
  170. In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.)

    a. It’s a very large hard drive.
    b. The technical data sheet indicates it’s a 3 terabyte hard drive.
    c. It’s a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage.
    d. I was unable to determine the drive size because it was so badly damaged.
    • The technical data sheet indicates it’s a 3 terabyte hard drive.
    • and It’s a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage.
    • and I was unable to determine the drive size because it was so badly damaged.
  171. List three items you should include in your CV.
    Answers can include instances of previous expert testimony, education and training, work experience, training you provided or contributed to, and professional awards or recognitions.
  172. When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn’t being released to the defense?




    B) Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court).
  173. When you give ____ testimony, you present evidence and explain what it is and how it was obtained. You don’t offer conclusions, only the facts.
    technical or scientific
  174. Your _____ lists your professional experience and is used to qualify your testimony.
    curriculum vitae (CV)
  175. Jurors typically average just over _________ years of education and an eighth-grade reading level.
    twelve
  176. ____ is an attempt from one attorney to prevent another attorney from using you on an important case.
    Conflicting out
  177. Sometimes opposing attorneys ask several questions inside one question; this is called a(n) ____.
    compound question
  178. A(n) ____ differs from trial testimony because there’s no jury or judge.
    deposition
  179. Although a(n) ____deposition can be video recorded, a written transcript is more common and is required in addition to the video recording.
    discovery
  180. A(n) ____ deposition is usually requested by your client to preserve your testimony in case of schedule conflicts or health problems.
    testimony preservation
  181. A(n) ____ hearing is held in court to determine the admissibility of certain evidence before trial.
    judicial
  182. Describe two types of ethical standards.
    Standards that others apply to you or that you’re compelled to adhere to by external forces (such as licensing bodies) and your own internal rules you use to measure your performance.
  183. Ethical obligations are duties that you owe only to others. True or False?
    False
  184. List three sound reasons for offering a different opinion from one you testified to in a previous case.
    recent developments in technology, new tools with new capabilities, and the facts of the current case being distinguishable from a previous case
  185. List three or more factors courts have used in determining whether to disqualify an expert.
    Answers can include the following: whether the attorney informed the expert that their discussions were confidential, whether the expert reviewed materials marked as confidential or attorney work product, whether the expert was asked to sign a confidentiality agreement, the number of discussions held over a period of time, the type of documents reviewed (publicly filed or confidential), the type of information conveyed to the expert, amount of time involved in discussions or meetings, whether the expert provided the attorney with confidential information, whether the attorney formally retained the expert, whether the expert voiced concerns about being retained, whether the expert was requested to perform services for the attorney, and whether the attorney compensated the expert.
  186. All expert witnesses must be members of associations that license them. True or False?
    False
  187. Contingency fees can be used to compensate an expert under which circumstances?




    C) When the expert is acting only as a consultant, not a witness
  188. List three organizations that have a code of ethics or conduct.
    ISFCE, IACIS, AMA, APA, and ABA
  189. In the United States, no state or national licensing body specifically licenses forensics examiners. True or False?
    True
  190. When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply.)




    C) Refuse to discuss details until a retainer agreement is returned.
  191. What purpose does making your own recording during a deposition serve?




    C) It allows you to review your testimony with your attorney during breaks.
  192. Externally enforced ethical rules, with sanctions that can restrict a professional’s practice, are more accurately described as which of the following?




    A) Laws
  193. Describe an unethical technique opposing counsel might use to make a deposition difficult for you.
    Opposing counsel might attempt to make discovery depositions physically uncomfortable. Other tactics include the attorney who has set the deposition neglecting to have payment ready for you.
  194. What are some risks of using tools you have created yourself?




    A) The tool doesn’t generate reports in a standard format.
  195. List four steps you should take, in the correct order, to handle a deposition in which physical circumstances are uncomfortable.
    • Ask the attorney to correct the situation.
    • If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist.
    • After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step.
    • If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his or her state bar association.
  196. List three obvious ethical errors.
    • Don’t present false data or alter data.
    • Don’t report work that was not done.
    • Don’t ignore available contradictory data.
    • Don’t do work beyond your expertise or competence.
    • Don’t allow the attorney who retained you to influence your opinion in an unauthorized way. (Keep in mind that there are authorized points of influence, such as the attorney framing a hypothetical question for you or asking you to answer specific questions.)
    • Don’t accept an assignment if it cannot reasonably be done in the allowed time.
    • Don’t reach a conclusion before you have done complete research.
    • Don’t fail to report possible conflicts of interest.
  197. Codes of professional conduct or responsibility set the highest standards for professionals’ expected performance. True or False?
    False
  198. ____ are the rules you internalize and use to measure your performance.
    Ethics
  199. One of the effects of violating court rules or laws is____. This outcome isn’t usually punitive, but it can be embarrassing for you as a professional and potentially for the attorney who retained you.
    disqualification
  200. True or False: Contingency fees aren’t allowed except in certain limited circumstances.
    True
  201. True or False: The American Bar Association (ABA) is a licensing body.
    False
  202. True or False: Evidence obtained through the use of personally created tools is not admissible in U.S. District courts.
    False
  203. True or False: Enforcing any professional organization’s ethical guidelines is difficult.
    False
  204. True or False: The planning stage should cover all possibilities, including giving an opinion of whether data was corrupted intentionally or unintentionally.
    True
  205. A(n) ____ is a file or folder that has lost its link to the parent folder.
    orphan file
  206. True or False: Typically, disk drives that haven’t been defragmented have large files fragmented into one or more data runs.
    True
  207. True or False: Evidence obtained through the use of personally created tools is not admissible in U.S. District courts.
    False
Author
dior
ID
358781
Card Set
Exam 2 Computer Forensics
Description
These are the questions from the end of the chapter and quiz questions.
Updated

  1. Home
  2. Flashcards
  3. Preview