CNB4313 Principles of Computer Forensics

Tutorial 1 Solution (Chapter 1-3)

1. Computer forensics and data recovery refer to the same activities.
True or False?
False

2. The triad of computing security includes which of the following?

Vulnerability assessment, intrusion response, and investigation

3. List three common types of digital crime.

Answers can include fraud, e-mail harassment, cyberstalking, and embezzlement.

4. To what does the term “silver-platter doctrine” refer?

If evidence of a criminal matter is found during a corporate investigation, all evidence
found so far must be turned over to law enforcement. It also refers to evidence that
law enforcement obtained without a warrant is admissible in a federal criminal trial

5. List two items that should appear on an internal warning banner.

Statements that the organization has the right to monitor what users do, that their e-
mail is not personal, and so on.

6. List two types of computer investigations typically conducted in the

corporate environment.
Fraud, embezzlement, insider trading, espionage, and e-mail harassment

7. What is professional conduct and why is it important?

Professional conduct includes ethics, morals, and standards of behavior. It affects
your credibility.

8. You can lose your job for violating a company policy, even if you
don’t commit a crime. True or False?
True

9. What is the purpose of maintaining a professional journal?

It helps you remember what procedures were followed if the case ever goes to court.
It can also be a useful reference if you need to remember how you solved a
challenging problem.

10. Why should companies appoint an authorized requester for

computer investigations?

Page 1 of 4
CNB4313 Principles of Computer Forensics

To reduce conflicts from competing interests among other organizations or

departments and to avoid starting investigations based on innuendo or jealousy

11. What are some initial assessments you should make for a computing
investigation?
• Talk to others involved in the case and ask about the incident.
• Determine whether law enforcement or company security officers already
seized the computer evidence.
• Determine whether the computer was used to commit a crime or contains
evidence about the crime.

12. What are some ways to determine the resources needed for an
investigation?
• Determine the OS of the suspect computer.
• List the necessary software to use for the examination.

13. List three items that should be on an evidence custody form.

Case number, name of the investigator assigned to the case, nature of the case,
location where evidence was obtained, description of the evidence, and so on.

14. You should always prove the allegations made by the person who hired you.
True or False?
False

15. For digital evidence, an evidence bag is typically made of antistatic material.
True or False?
True

16. For employee termination cases, what types of investigations do you typically
encounter?
• hostile work environment caused by inappropriate Internet use
• sending harassing e-mail messages

17. Why should your evidence media be write-protected?

To ensure that data isn’t altered

18. List three items that should be in your case report.

An explanation of basic computer and network processes, a narrative of what steps
you took, a description of your findings, and log files generated from your analysis
tools.

Page 2 of 4
CNB4313 Principles of Computer Forensics

19. Why should you critique your case after it’s finished?
To improve your work

20. What do you call a list of people who have had physical possession of the
evidence?
Chain of custody

21. If a company publishes a policy stating that it reserves the right to inspect
computing assets at will, a corporate investigator can conduct covert surveillance on an
employee with little cause. True or False?
True

22. If you discover a criminal act, such as murder or child pornography, while
investigating a corporate policy abuse, the case becomes a criminal investigation and
should be referred to law enforcement. True or False?
True

23. Probable cause is not needed for a criminal investigation. True or False?
False

24. If a suspect computer is located in an area that might have toxic chemicals,
how should you react?
Coordinate with the HAZMAT team.

25. List three items that should be in an initial-response field kit.

small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media,
laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual
write-protect external bay, flashlight, digital camera or 35mm camera, evidence log
forms, notebook or dictation recorder, computer evidence bags (antistatic bags),
evidence labels, tape, and tags, permanent ink marker, USB drives or large portable
hard drive

26. Describe what should be videotaped or sketched at a computer crime scene.

Computers, cable connections, overview of scene--anything that might be of interest
to the investigation

27. Which techniques might be used in covert surveillance?

keylogging
data sniffing

Page 3 of 4
CNB4313 Principles of Computer Forensics

28. Two hashing algorithms commonly used for forensic purposes are
_____________ and ________________
MD5 and SHA-1

29. If a company doesn’t distribute a computing use policy stating an employer’s

right to inspect employees’ computers freely, including e-mail and Web use, employees
have an expectation of privacy. True or False?
True

30. You have been called to a crime scene where a laptop computer is still
running. What type of field kit should you take with you?
initial-response field kit

31. Litigation is the legal process of proving guilt or innocence in court.

32. The police blotter provides a record of clues to crimes that have been
committed previously.

33. In addition to warning banners that state a company’s rights of computer

ownership, businesses should specify a(n) line-of-authority who has the power to conduct
investigations.

Page 4 of 4