Computer Forensics JumpStart

  1. What is the first common task when handling evidence?

    Answer: Evidence identification must begin before you can begin the collection and analysis process.

  2. Which type of hardware is never of interest to an investigation?

    Answer: All hardware is of potential interest to your investigation.

  3. When attempting to prove that an individual used a computer, what clues might computer hardware provide?

    Answer: Fingerprints can directly relate a person with a computer.

  4. In addition to hard disk drives , where else might data containing evidence reside?

    Answer: Removable media is a common hiding place for data. People trying to hide data often equate port- ability with security.

  5. Should handwritten notes be considered in a computer forensics investigation?

    Answer: Yes. People naturally write notes of all kinds. You will likely find clues about how a person uses a computer by looking at the notes around it.

  6. What is the primary concern in evidence collection and handling?

    Answer: Preserving evidence and ensuring that it does not change after it is collected is the primary concern during collection and handling. Tainting evidence destroys credibility and makes evidence inadmissible in a court of law.

  7. Can you analyze a system that is intact and running?

    Answer: Yes, you can analyze it with specialized forensic tools.

  8. What happens when a PDA's battery runs down?

    Answer: When a PDA's battery runs down, all data stored in the PDA is lost.

  9. What device prohibits any changes to a hard disk drive?

    Answer: Write blockers (both hardware and software) stop all write operations that will change the contents of a drive.

  10. How can you prove that you made no changes to a disk drive during analysis?

    Answer: Create hash values before and after analysis, and then compare the two. If the hash values are the same, the images are the same.

Related

Категории