CIS 562 Week 11 Final Exam – Strayer New

Published on February 2017 | Categories: Documents | Downloads: 71 | Comments: 0 | Views: 737
of 57
Download PDF   Embed   Report

Comments

Content

CIS 562 Week 11 Final Exam – Strayer New
Click On The Link Below To Purchase A+ Graded Material
Instant Download
http://www.hwgala.com/CIS-562-Final-Exam-Week-11-Strayer-NEWCIS562W11E.htm
Chapters 7 Through 16
Chapter 7: Current Computer Forensics Tools
TRUE/FALSE
1. When you research for computer forensics tools, strive for versatile, flexible, and
robust tools that provide technical support.
2. In software acquisition, there are three types of data-copying methods.
3. To help determine what computer forensics tool to purchase, a comparison table of
functions, subfunctions, and vendor products is useful.
4. The Windows platforms have long been the primary command-line interface OSs.
5. After retrieving and examining evidence data with one tool, you should verify your
results by performing the same tasks with other similar forensics tools.
MULTIPLE CHOICE
1. Computer forensics tools are divided into ____ major categories.
a.

2

c.

4

b.

3

d.

5

2. Software forensics tools are commonly used to copy data from a suspect’s disk drive
to a(n) ____.
a.

backup file

c.

image file

b.

firmware

d.

recovery copy

3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-

volt power connector and an IDE, a SATA, or a SCSI connector cable.
a.

UNIX

c.

Linux

b.

MAC OS X

d.

MS-DOS

4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from
the UNIX/Linux ____ command.
a.

rawcp

c.

d2dump

b.

dd

d.

dhex

5. ____ of data involves sorting and searching through all investigation data.
a.

Validation

c.

Acquisition

b.

Discrimination

d.

Reconstruction

6. Many password recovery tools have a feature that allows generating potential lists for
a ____ attack.
a.

brute-force

c.

b.

password dictionary d.

birthday
salting

7. The simplest method of duplicating a disk drive is using a tool that does a direct ____
copy from the original disk to the target disk.
a.

partition-topartition

c.

disk-to-disk

b.

image-to-partition

d.

image-to-disk

8. To complete a forensic disk analysis and examination, you need to create a ____.
a.

forensic disk copy

c.

budget plan

b.

risk assessment

d.

report

9. The first tools that analyzed and extracted data from floppy disks and hard disks were
MS-DOS tools for ____ PC file systems.
a.

Apple

c.

Commodore

b.

Atari

d.

IBM

10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you
have multiple users on the system or network.
a.

Dir

c.

Copy

b.

ls

d.

owner

11. In general, forensics workstations can be divided into ____ categories.
a.

2

c.

4

b.

3

d.

5

12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor
and almost as many bays and peripherals as a stationary workstation is also known as
a ____.
a.

stationary
workstation

c.

lightweight
workstation

b.

field workstation

d.

portable
workstation

13. ____ is a simple drive-imaging station.
a.

F.R.E.D.

c.

FIRE IDE

b.

SPARC

d.

DiskSpy

14. ____ can be software or hardware and are used to protect evidence disks by
preventing you from writing any data to the evidence disk.
a.

Drive-imaging

c.

Workstations

b.

Disk editors

d.

Write-blockers

15. Many vendors have developed write-blocking devices that connect to a computer
through FireWire,____ 2.0,and SCSI controllers.
a.

USB

c.

LCD

b.

IDE

d.

PCMCIA

16. The ____ publishes articles, provides tools, and creates procedures for testing and
validating computer forensics software.
a.

CFTT

c.

FS-TST

b.

NIST

d.

NSRL

17. The standards document, ____, demands accuracy for all aspects of the testing
process, meaning that the results must be repeatable and reproducible.
a.

ISO 3657

c.

ISO 5725

b.

ISO 5321

d.

ISO 17025

18. The NIST project that has as a goal to collect all known hash values for commercial
software applications and OS files is ____.
a.

NSRL

c.

FS-TST

b.

CFTT

d.

PARTAB

19. The primary hash algorithm used by the NSRL project is ____.
a.

MD5

c.

CRC-32

b.

SHA-1

d.

RC4

20. One way to compare your results and verify your new forensic tool is by using a
____, such as HexWorkshop, or WinHex.
a.

disk imager

c.

bit-stream copier

b.

write-blocker

d.

disk editor

21. Although a disk editor gives you the most flexibility in ____, it might not be capable
of examining a ____ file’s contents.
a.

testing, compressed

c.

testing, pdf

b.

scanning, text

d.

testing, doc

COMPLETION
1. Software forensic tools are grouped into command-line applications and
____________________ applications.
2. The Windows application of EnCase requires a(n) ____________________ device,
such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk
drive.
3. The ____________________ function is the most demanding of all tasks for
computer investigators to master.
4. Because there are a number of different versions of UNIX and Linux, these platforms
are referred to as ____________________ platforms.
5. Hardware manufacturers have designed most computer components to last about
____________________ months between failures.
MATCHING
Match each item with a statement below
a.

JFIF

f.

PDBlock

b.

Lightweight
workstation

g.

Norton DiskEdit

c.

Pagefile.sys

h.

Stationary
workstation

d.

Salvaging

i.

SafeBack

e.

Raw data

1. letters embedded near the beginning of all JPEG files
2. European term for carving
3. a direct copy of a disk drive
4. usually a laptop computer built into a carrying case with a small selection of
peripheral options
5. one of the first MS-DOS tools used for a computer investigation
6. software-enabled write-blocker

7. system file where passwords may have been written temporarily
8. a tower with several bays and many peripheral devices
9. command-line disk acquisition tool from New Technologies, Inc.
SHORT ANSWER
1. What are the five major function categories of any computer forensics tool?
2. Explain the validation of evidence data process.
3. What are some of the advantages of using command-line forensics tools?
4. Explain the advantages and disadvantages of GUI forensics tools.
5. Illustrate how to consider hardware needs when planning your lab budget.
6. Describe some of the problems you may encounter if you decide to build your own
forensics workstation.
7. Illustrate the use of a write-blocker on a Windows environment.
8. Briefly explain the NIST general approach for testing computer forensics tools.
9. Explain the difference between repeatable results and reproducible results.
10. Briefly explain the purpose of the NIST NSRL project.

Chapter 8: Macintosh and Linux Boot Processes and File Systems
TRUE/FALSE
1. If a file contains information, it always occupies at least one allocation block.
2. Older Macintosh computers use the same type of BIOS firmware commonly found in
PC-based systems.

3. GPL and BSD variations are examples of open-source software.
4. A UNIX or Linux computer has two boot blocks, which are located on the main hard
disk.
5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to
allow for long filenames.
MULTIPLE CHOICE
1. Macintosh OS X is built on a core called ____.
a.

Phantom

c.

Darwin

b.

Panther

d.

Tiger

2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a
____ fork, where file metadata and application information are stored.
a.

resource

c.

blocks

b.

node

d.

inodes

3. The maximum number of allocation blocks per volume that File Manager can access
on a Mac OS system is ____.
a.

32,768

c.

58,745

b.

45,353

d.

65,535

4. On older Macintosh OSs all information about the volume is stored in the ____.
a.

Master Directory
Block (MDB)

c.

Extents Overflow
File (EOF)

b.

Volume Control
Block (VCB)

d.

Volume Bitmap
(VB)

5. With Mac OSs, a system application called ____ tracks each block on a volume to
determine which blocks are in use and which ones are available to receive data.
a.

Extents overflow

c.

Master Directory

file
b.

Volume Bitmap

Block
d.

Volume Control
Block

6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or
Volume Control Block (VCB).
a.

volume information
block

c.

catalog

b.

extents overflow
file

d.

master directory
block

7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is
regulated under the ____ agreement.
a.

AIX

c.

GPL

b.

BSD

d.

GRUB

8. The standard Linux file system is ____.
a.

NTFS

c.

HFS+

b.

Ext3fs

d.

Ext2fs

9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
a.

4

c.

10

b.

8

d.

12

10. Linux is unique in that it uses ____, or information nodes, that contain descriptive
information about each file or directory.
a.

xnodes

c.

infNodes

b.

extnodes

d.

inodes

11. To find deleted files during a forensic investigation on a Linux computer, you search
for inodes that contain some data and have a link count of ____.
a.

-1

c.

1

b.

0

d.

2

12. ____ components define the file system on UNIX.
a.

2

c.

4

b.

3

d.

5

13. The final component in the UNIX and Linux file system is a(n) ____, which is where
directories and files are stored on a disk drive.
a.

superblock

c.

boot block

b.

data block

d.

inode block

14. LILO uses a configuration file named ____ located in the /Etc directory.
a.

Lilo.conf

c.

Lilo.config

b.

Boot.conf

d.

Boot.config

15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of
OSs.
a.

1989

c.

1994

b.

1991

d.

1995

16. On a Linux computer, ____ is the path for the first partition on the primary master
IDE disk drive.
a.

/dev/sda1

c.

/dev/hda1

b.

/dev/hdb1

d.

/dev/ide1

17. There are ____ tracks available for the program area on a CD.
a.

45

c.

99

b.

50

d.

100

18. The ____ provides several software drivers that allow communication between the OS

and the SCSI component.
a.

International Organization of
Standardization (ISO)

b.

Advanced SCSI Programming Interface
(ASPI)

c.

CLV

d.

EIDE

19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133
IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
a.

40-pin

c.

80-pin

b.

60-pin

d.

120-pin

20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
a.

70

c.

96

b.

83

d.

100

21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4
____.
a.

KB

c.

GB

b.

MB

d.

TB

COMPLETION
1. Before OS X, Macintosh uses the ____________________, in which files are stored
in directories, or folders, that can be nested in other folders.
2. The Macintosh file system has ____________________ descriptors for the end of file
(EOF).
3. ____________________ is a journaling version of Ext2fs that reduces file recovery
time after a crash.
4. When you turn on the power to a UNIX workstation, instruction code located in

firmware on the system’s CPU loads into RAM. This firmware is called
____________________ code because it’s located in ROM.
5. CD players that are 12X or faster read discs by using a(n) _____________________
system.
MATCHING
Match each item with a statement below
a.

File Manager

f.

Volume

b.

Inode blocks

g.

ls

c.

ISO 9660

h.

Catalog

d.

LILO

i.

Finder

e.

Clumps

1. older Linux boot manager utility
2. Macintosh tool that works with the OS to keep track of files and maintain users’
desktops
3. any storage medium used to store files
4. the list command on Linux
5. maintains relationships between files and directories on a volume on a Mac OS
6. the first data after the superblock on a UNIX or Linux file system
7. ISO standard for CDs
8. Mac OS utility that handles reading, writing, and storing data to physical media
9. groups of contiguous allocation blocks

SHORT ANSWER
1. Explain the relation between allocation blocks and logical block on a Mac OS file
system.
2. Explain the use of B*-trees on Mac OS 9 file system.

3. Explain the use of forensic tools for Macintosh systems.
4. What are the functions of the superblock on a UNIX or Linux file system?
5. What is a bad block inode on Linux?
6. What is a continuation inode?
7. Describe the CD creation process.
8. Write a brief history of SCSI.
9. Explain the problems you can encounter with pre-ATA-33 devices when connecting
them to current PCs.
10. What problems can hidden partitions on IDE devices cause to forensic investigators?

Chapter 9: Computer Forensics Analysis and Validation
TRUE/FALSE
1. The defense request for full discovery of digital evidence applies only to criminal
cases in the United States.
2. For target drives, use only recently wiped media that have been reformatted and
inspected for computer viruses.
3. FTK cannot perform forensics analysis on FAT12 file systems.
4. FTK cannot analyze data from image files from other vendors.
5. A nonsteganographic graphics file has a different size than an identical steganographic
graphics file.
MULTIPLE CHOICE

1. ____ increases the time and resources needed to extract,analyze,and present evidence.
a.

Investigation plan

c.

Litigation path

b.

Scope creep

d.

Court order for
discovery

2. You begin any computer forensics case by creating a(n) ____.
a.

investigation plan

c.

evidence custody
form

b.

risk assessment
report

d.

investigation report

3. In civil and criminal cases, the scope is often defined by search warrants or ____,
which specify what data you can recover.
a.

risk assessment
reports

c.

scope creeps

b.

investigation plans

d.

subpoenas

4. There are ____ searching options for keywords which FTK offers.
a.

2

c.

4

b.

3

d.

5

5. ____ search can locate items such as text hidden in unallocated space that might not
turn up in an indexed search.
a.

Online

c.

Active

b.

Inline

d.

Live

6. The ____ search feature allows you to look for words with extensions such as
“ing,”“ed,” and so forth.
a.

fuzzy

c.

permutation

b.

stemming

d.

similar-sounding

7. In FTK ____ search mode, you can also look for files that were accessed or changed

during a certain time period.
a.

live

c.

active

b.

indexed

d.

inline

8. FTK and other computer forensics programs use ____ to tag and document digital
evidence.
a.

tracers

c.

bookmarks

b.

hyperlinks

d.

indents

9. Getting a hash value with a ____ is much faster and easier than with a(n) ____.
a.

high-level language, assembler

b.

HTML editor, hexadecimal editor

c.

computer forensics tool, hexadecimal
editor

d.

hexadecimal editor, computer forensics
tool

10. AccessData ____ compares known file hash values to files on your evidence drive or
image files to see whether they contain suspicious data.
a.

KFF

c.

NTI

b.

PKFT

d.

NSRL

11. Data ____ involves changing or manipulating a file to conceal information.
a.

recovery

c.

integrity

b.

creep

d.

hiding

12. One way to hide partitions is to create a partition on a disk, and then use a disk editor
such as ____ to manually delete any reference to it.
a.

Norton DiskEdit

c.

System Commander

b.

PartitionMagic

d.

LILO

13. Marking bad clusters data-hiding technique is more common with ____ file systems.

a.

NTFS

c.

HFS

b.

FAT

d.

Ext2fs

14. The term ____ comes from the Greek word for“hidden writing.”
a.

creep

c.

escrow

b.

steganography

d.

hashing

15. ____ is defined as the art and science of hiding messages in such a way that only the
intended recipient knows the message is there.
a.

Bit shifting

c.

Marking bad
clusters

b.

Encryption

d.

Steganography

16. Many commercial encryption programs use a technology called ____, which is
designed to recover encrypted data if users forget their passphrases or if the user key
is corrupted after a system data failure.
a.

steganography

c.

password backup

b.

key escrow

d.

key splitting

17. People who want to hide data can also use advanced encryption programs, such as
PGP or ____.
a.

NTI

c.

FTK

b.

BestCrypt

d.

PRTK

18. ____ recovery is a fairly easy task in computer forensic analysis.
a.

Data

c.

Password

b.

Partition

d.

Image

19. ____ attacks use every possible letter, number, and character found on a keyboard
when cracking a password.
a.

Brute-force

c.

Profile

b.

Dictionary

d.

Statistics

20. ____ are handy when you need to image the drive of a computer far away from your
location or when you don’t want a suspect to be aware of an ongoing investigation.
a.

Scope creeps

c.

Password recovery
tools

b.

Remote
acquisitions

d.

Key escrow utilities

21. ____ is a remote access program for communication between two computers. The
connection is established by using the DiskExplorer program (FAT or NTFS)
corresponding to the suspect (remote) computer’s file system.
a.

HDHOST

c.

DiskEdit

b.

DiskHost

d.

HostEditor

COMPLETION
1. For most law-enforcement-related computing investigations, the investigator is
limited to working with data defined in the search ____________________.
2. FTK provides two options for searching for keywords: indexed search and
____________________ search.
3. ____________________ search catalogs all words on the evidence disk so that FTK
can find them quickly.
4. To generate reports with the FTK ReportWizard, first you need to
____________________ files during an examination.
5. The data-hiding technique ____________________ changes data from readable code
to data that looks like binary executable code.
MATCHING
Match each item with a statement below
a.

Court orders for

f.

PRTK

discovery
b.

Investigation plan

g.

Validating digital
evidence

c.

Digital Intelligence
PDWipe

h.

MD5

d.

Live search

i.

System Commander

e.

Cabinet

1. defines the investigation’s goal and scope, the materials needed, and the tasks to
perform
2. a hashing algorithm
3. one of the most critical aspects of computer forensics
4. a type of compressed file
5. an FTK searching option
6. a password recovery program available from AccessData
7. a disk-partitioning utility
8. program used to clean all data from the target drive you plan to use
9. limit a civil investigation

SHORT ANSWER
1. Describe the effects of scope creep on an investigation in the corporate environment.
2. Describe with examples why the approach you take for a forensics case depends
largely on the specific type of case you’re investigating.
3. How should you approach a case in which an employee is suspected of industrial
espionage?
4. What are the file systems supported by FTK for forensic analysis?
5. How does the Known File Filter program work?

6. How can you validate the integrity of raw format image files with ProDiscover?
7. How can you hide data by marking bad clusters?
8. Briefly describe how to use steganography for creating digital watermarks.

9. What are the basic guidelines to identify steganography files?
10. Briefly describe the differences between brute-force attacks and dictionary attacks to
crack passwords.

Chapter 10: Recovering Graphics Files
TRUE/FALSE
1. Bitmap images are collections of dots, or pixels, that form an image.
PTS:

1

REF:

398

2. Operating systems do not have tools for recovering image files.
PTS:

1

REF:

405

3. If a graphics file is fragmented across areas on a disk, first you must recover all the
fragments to re-create the file.
PTS:

1

REF:

405

4. With many computer forensics tools, you can open files with external viewers.
PTS:

1

REF:

425

5. Steganography cannot be used with file formats other than image files.
PTS:

1

REF:

428

MULTIPLE CHOICE
1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and
other geometric shapes.
a.

Bitmap images

c.

Vector graphics

b.

Metafile graphics

d.

Line-art images

PTS:

1

REF:

398

2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a.

graphics viewers

c.

image viewers

b.

image readers

d.

graphics editors

PTS:

1

REF:

398

3. ____ images store graphics information as grids of individual pixels.
a.

Bitmap

c.

Vector

b.

Raster

d.

Metafiles

PTS:

1

REF:

398

4. The process of converting raw picture data to another format is referred to as ____.
a.

JEIDA

c.

demosaicing

b.

rastering

d.

rendering

PTS:

1

REF:

401

5. The majority of digital cameras use the ____ format to store digital pictures.
a.

EXIF

c.

PNG

b.

TIFF

d.

GIF

PTS:

1

REF:

401

6. ____ compression compresses data by permanently discarding bits of information in
the file.
a.

Redundant

c.

Huffman

b.

Lossy

d.

Lossless

PTS:

1

REF:

404

7. Recovering pieces of a file is called ____.
a.

carving

c.

saving

b.

slacking

d.

rebuilding

PTS:

1

REF:

405

8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a.

EPS

c.

GIF

b.

BMP

d.

JPEG

PTS:

1

REF:

408

9. If you can’t open an image file in an image viewer, the next step is to examine the
file’s ____.
a.

extension

c.

header data

b.

name

d.

size

PTS:

1

REF:

414

10. The uppercase letter ____ has a hexadecimal value of 41.
a.

“A”

c.

“G”

b.

“C”

d.

“Z”

PTS:

1

REF:

417

11. The image format XIF is derived from the more common ____ file format.
a.

GIF

c.

BMP

b.

JPEG

d.

TIFF

PTS:

1

REF:

423

12. The simplest way to access a file header is to use a(n) ____ editor
a.

hexadecimal

c.

disk

b.

image

d.

text

PTS:

1

REF:

423

13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of
5C01 0000 2065 5874 656E 6465 6420 03.
a.

TIFF

c.

JPEG

b.

XIF

d.

GIF

PTS:

1

REF:

425

14. ____ is the art of hiding information inside image files.
a.

Steganography

c.

Graphie

b.

Steganalysis

d.

Steganos

PTS:

1

REF:

425

15. ____ steganography places data from the secret file into the host file without
displaying the secret data when you view the host file in its associated program.
a.

Replacement

c.

Substitution

b.

Append

d.

Insertion

PTS:

1

REF:

426

16. ____ steganography replaces bits of the host file with other bits of data.
a.

Insertion

c.

Substitution

b.

Replacement

d.

Append

PTS:

1

REF:

426

17. In the following list, ____ is the only steg tool.
a.

EnCase

c.

DriveSpy

b.

iLook

d.

Outguess

PTS:

1

REF:

429

18. ____ has also been used to protect copyrighted material by inserting digital
watermarks into a file.
a.

Encryption

c.

Compression

b.

Steganography

d.

Archiving

PTS:

1

REF:

430

19. When working with image files, computer investigators also need to be aware of ____
laws to guard against copyright violations.
a.

international

c.

copyright

b.

forensics

d.

civil

PTS:

1

REF:

430

20. Under copyright laws, computer programs may be registered as ____.
a.

literary works

c.

architectural works

b.

motion pictures

d.

audiovisual works

PTS:

1

REF:

430

21. Under copyright laws, maps and architectural plans may be registered as ____.
a.

pantomimes and
choreographic
works

c.

literary works

b.

artistic works

d.

pictorial, graphic,
and sculptural
works

PTS:

1

REF:

430

COMPLETION
1. A graphics program creates and saves one of three types of image files: bitmap,
vector, or ____________________.
2. ____________________ is the process of coding of data from a larger form to a
smaller form.
3. The ____________________ is the best source for learning more about file formats
and their associated extensions.
4. All ____________________ files start at position zero (offset 0 is the first byte of a
file) with hexadecimal 49 49 2A.
5. The two major forms of steganography are ____________________ and substitution.
MATCHING
Match each item with a statement below
a.

Pixels

f.

Steganalysis tools

b.

Hex Workshop

g.

GIMP

c.

Adobe Illustrator

h.

XIF

d.

Microsoft Office
Picture Manager

i.

Metafile graphics

e.

JPEG

1. drawing program that creates vector files
2. Gnome graphics editor
3. image format derived from the TIFF file format
4. combinations of bitmap and vector images
5. short for “picture elements”
6. are also called steg tools
7. graphics file format that uses lossy compression
8. tool used to rebuild image file headers
9. Microsoft image viewer

SHORT ANSWER
1. Briefly describe the Exchangeable Image File (EXIF) format.
2. Explain how lossless compression relates to image file formats.
3. How does vector quantization (VQ) compress data?
4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters.
5. Identify and describe some image viewers.
6. Write a brief history of steganography.
7. Describe how to hide information on an 8-bit bitmap image file using substitution
steganography.

8. Explain how steganalysis tools work.
9. Give a brief overview of copyright laws pertaining to graphics within and outside the
U.S.

10. Present a list of categories covered under copyright laws in the U.S.

Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions
TRUE/FALSE
1. When intruders break into a network, they rarely leave a trail behind.
PTS:

1

REF:

442

2. Network forensics is a fast, easy process.
PTS:

1

REF:

447

3. PsList from PsTools allows you to list detailed information about processes.
PTS:

1

REF:

450

4. With the Knoppix STD tools on a portable CD, you can examine almost any network
system.
PTS:

1

REF:

451

5. Ngrep cannot be used to examine e-mail headers or IRC chats.
PTS:

1

REF:

455

MULTIPLE CHOICE
1. ____ can help you determine whether a network is truly under attack or a user has
inadvertently installed an untested patch or custom program.
a.

Broadcast forensics

c.

Computer forensics

b.

Network forensics

d.

Traffic forensics

PTS:

1

REF:

442

2. ____ hide the most valuable data at the innermost part of the network.

a.

Layered network
defense strategies

c.

Protocols

b.

Firewalls

d.

NAT

PTS:

1

REF:

442

3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your
network.
a.

Network

c.

Criminal

b.

Computer

d.

Server

PTS:

1

REF:

442

4. ____ can be used to create a bootable forensic CD and perform a live acquisition.
a.

Helix

c.

Inquisitor

b.

DTDD

d.

Neon

PTS:

1

REF:

445

5. Helix operates in two modes:Windows Live (GUI or command line) and ____.
a.

command Windows

c.

command Linux

b.

remote GUI

d.

bootable Linux

PTS:

1

REF:

445

6. A common way of examining network traffic is by running the ____ program.
a.

Netdump

c.

Coredump

b.

Slackdump

d.

Tcpdump

PTS:

1

REF:

448

7. ____ is a suite of tools created by Sysinternals.
a.

EnCase

c.

R-Tools

b.

PsTools

d.

Knoppix

PTS:

1

REF:

450

8. ____ is a Sysinternals command that shows all Registry data in real time on a

Windows computer.
a.

PsReg

c.

RegMon

b.

RegExplorer

d.

RegHandle

PTS:

1

REF:

450

9. The PSTools ____ kills processes by name or process ID.
a.

PsExec

c.

PsKill

b.

PsList

d.

PsShutdown

PTS:

1

REF:

450

10. ____ is a popular network intrusion detection system that performs packet capture and
analysis in real time.
a.

Ethereal

c.

Tcpdump

b.

Snort

d.

john

PTS:

1

REF:

451

11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes
with Knoppix-STD.
a.

chntpw

c.

memfetch

b.

john

d.

dcfldd

PTS:

1

REF:

451

12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer,
including the administrator password
a.

chntpw

c.

oinkmaster

b.

john

d.

memfetch

PTS:

1

REF:

451

13. ____ are devices and/or software placed on a network to monitor traffic.
a.

Packet sniffers

c.

Hubs

b.

Bridges

d.

Honeypots

PTS:

1

REF:

454

14. Most packet sniffers operate on layer 2 or ____ of the OSI model.
a.

1

c.

5

b.

3

d.

7

PTS:

1

REF:

454

15. Most packet sniffer tools can read anything captured in ____ format.
a.

SYN

c.

PCAP

b.

DOPI

d.

AIATP

PTS:

1

REF:

455

16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a.

SYN flood

c.

brute-force attack

b.

ACK flood

d.

PCAP attack

PTS:

1

REF:

455

17. ____ is the text version of Ethereal, a packet sniffer tool.
a.

Tcpdump

c.

Etherape

b.

Ethertext

d.

Tethereal

PTS:

1

REF:

455

18. ____ is a good tool for extracting information from large Libpcap files.
a.

Nmap

c.

Pcap

b.

Tcpslice

d.

TCPcap

PTS:

1

REF:

455

19. The ____ Project was developed to make information widely available in an attempt
to thwart Internet and network hackers.
a.

Honeynet

c.

Honeywall

b.

Honeypot

d.

Honeyweb

PTS:

1

REF:

458

20. Machines used on a DDoS are known as ____ simply because they have unwittingly
become part of the attack.
a.

ISPs

c.

zombies

b.

soldiers

d.

pawns

PTS:

1

REF:

458

21. A ____ is a computer set up to look like any other machine on your network, but it
lures the attacker to it.
a.

honeywall

c.

honeynet

b.

honeypot

d.

honeyhost

PTS:

1

REF:

459

COMPLETION
1. ____________________ is a layered network defense strategy developed by the
National Security Agency (NSA).
2. The term ____________________ means how long a piece of information lasts on a
system.
3. ____________________ logs record traffic in and out of a network.
4. The PSTools ____________________ tool allows you to suspend processes.
ANS: PsSuspend
5. The U.K. Honeynet Project has created the ____________________. It contains the
honeywall and honeypot on a bootable memory stick.
MATCHING
Match each item with a statement below
a.

Cyberforensics

f.

Trojan horse

b.

Ethereal

g.

Knoppix

c.

Tripwire

h.

PsShutdown

d.

PsGetSid

i.

oinkmaster

e.

PsLoggedOn

1. displays who’s logged on locally
2. displays the security identifier (SID) of a computer or user
3. an audit control program that detects anomalies in traffic and sends an alert
automatically
4. usually refers to network forensics
5. a bootable Linux CD intended for computer and network forensics
6. shuts down and optionally restarts a computer
7. helps manage snort rules so that you can specify what items to ignore as regular traffic
and what items should raise alarms
8. a network analysis tool
9. type of malware

SHORT ANSWER
1. Why is testing networks as important as testing servers?
2. When are live acquisitions useful?
3. What is the general procedure for a live acquisition?
4. Detail a standard procedure for network forensics investigations.
5. How should you proceed if your network forensic investigation involves other
companies?
6. Describe some of the Windows tools available at Sysinternals.
7. What are some of the tools included with the PSTools suite?
8. What is Knoppix-STD?
9. What are some of the tools included with Knoppix STD?

10. Explain The Auditor tool.

Chapter 12: E-mail Investigations
TRUE/FALSE
1. For computer investigators, tracking intranet e-mail is relatively easy because the
accounts use standard names established by the network or e-mail administrator.
PTS:

1

REF:

470

2. You can always rely on the return path in an e-mail header to show the source account
of an e-mail message.
PTS:

1

REF:

482

3. E-mail programs either save e-mail messages on the client computer or leave them on
the server.
PTS:

1

REF:

483

4. All e-mail servers are databases that store multiple users’ e-mails.
PTS:

1

REF:

485

5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.
PTS:

1

REF:

489

MULTIPLE CHOICE
1. E-mail messages are distributed from one central server to many connected client
computers, a configuration called ____.
a.

client/server
architecture

c.

client architecture

b.

central distribution
architecture

d.

peer-to-peer
architecture

PTS:

1

REF:

469

2. In an e-mail address, everything after the ____ symbol represents the domain name.
a.



c.

@

b.

.

d.

-

PTS:

1

REF:

470

3. With many ____ e-mail programs, you can copy an e-mail message by dragging the
message to a storage medium, such as a folder or disk.
a.

command-line

c.

prompt-based

b.

shell-based

d.

GUI

PTS:

1

REF:

472

4. When working on a Windows environment you can press ____ to copy the selected
text to the clipboard.
a.

Ctrl+A

c.

Ctrl+V

b.

Ctrl+C

d.

Ctrl+Z

PTS:

1

REF:

473

5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and
then click ____ to open the Message Options dialog box. The Internet headers text
box at the bottom of the dialog box contains the message header.
a.

Options

c.

Properties

b.

Details

d.

Message Source

PTS:

1

REF:

473

6. To retrieve an Outlook Express e-mail header right-click the message, and then click
____ to open a dialog box showing general information about the message.
a.

Properties

c.

Details

b.

Options

d.

Message Source

PTS:

1

REF:

473

7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers
by using the ____ command.
a.

prn

c.

prnt

b.

print

d.

prt

PTS:

1

REF:

477

8. To view AOL e-mail headers click Action, ____ from the menu.
a.

More options

c.

Options

b.

Message properties

d.

View Message
Source

PTS:

1

REF:

478

9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window,
and then click Show all headers on incoming messages.
a.

Advanced

b.

General Preferences d.
PTS:

1

REF:

c.

Message Properties
More information

480

10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a
file with a file extension of ____.
a.

.ost

c.

.msg

b.

.eml

d.

.pst

PTS:

1

REF:

483

11. ____ is a comprehensive Web site that has options for searching for a suspect,
including by e-mail address, phone numbers, and names.
a.

www.freeality.com

c.

www.whatis.com

b.

www.google.com

d.

www.juno.com

PTS:

1

REF:

484

12. ____ allocates space for a log file on the server, and then starts overwriting from the
beginning when logging reaches the end of the time frame or the specified log size.
a.

Continuous logging

c.

Circular logging

b.

Automatic logging

d.

Server logging

PTS:

1

REF:

485

13. The files that provide helpful information to an e-mail investigation are log files and
____ files.
a.

batch

c.

scripts

b.

configuration

d.

.rts

PTS:

1

REF:

487

14. ____ contains configuration information for Sendmail, allowing the investigator to
determine where the log files reside.
a.

/etc/sendmail.cf

c.

/etc/var/log/maillog

b.

/etc/syslog.conf

d.

/var/log/maillog

PTS:

1

REF:

487

15. Typically, UNIX installations are set to store logs such as maillog in the ____
directory.
a.

/etc/Log

c.

/etc/var/log

b.

/log

d.

/var/log

PTS:

1

REF:

488

16. Exchange logs information about changes to its data in a(n) ____ log.
a.

checkpoint

c.

transaction

b.

communication

d.

tracking

PTS:

1

REF:

489

17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is
inserted in the transaction log to mark the last point at which the database was written
to disk.
a.

tracking

c.

temporary

b.

checkpoint

d.

milestone

PTS:

1

REF:

489

18. The Novell e-mail server software is called ____.
a.

Sendmail

c.

Sawmill

b.

GroupWise

d.

Guardian

PTS:

1

REF:

491

19. GroupWise has ____ ways of organizing the mailboxes on the server.
a.

2

c.

4

b.

3
PTS:

1

d.
REF:

5

491

20. The GroupWise logs are maintained in a standard log format in the ____ folders.
a.

MIME

c.

QuickFinder

b.

mbox

d.

GroupWise

PTS:

1

REF:

491

21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____
format.
a.

POP3

c.

MIME

b.

mbox

d.

SMTP

PTS:

1

REF:

500

COMPLETION
1. You can send and receive e-mail in two environments:via the
____________________ or an intranet (an internal network).
2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as
the ____________________ field in an e-mail message.
3. Administrators usually set e-mail servers to ____________________ logging mode.

4. In UNIX e-mail servers, the ____________________ file simply specifies where to
save different types of e-mail log files.
5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use
____________________ formatting, which can be difficult to read with a text or
hexadecimal editor.
MATCHING
Match each item with a statement below:
a.

Contacts

f.

Notepad

b.

Pico

g.

CISCO Pix

c.

syslogd file

h.

www.whatis.com

d.

www.arin.net

i.

Pine

e.

PU020101.db

1. Web site to check file extensions and match the file to a program
2. command line e-mail program used with UNIX
3. text editor used with Windows
4. the first folder the GroupWise server shares
5. text editor used with UNIX
6. the electronic address book in Outlook
7. a network firewall device
8. a registry Web site
9. includes e-mail logging instructions

SHORT ANSWER
1. Describe how e-mail account names are created on an intranet environment.
2. Describe the process of examining e-mail messages when you have access to the
victim’s computer and when this access is not possible.
3. What are the steps for retrieving e-mail headers on Pine?
4. What are the steps for viewing e-mail headers in Hotmail?
5. What kind of information can you find in an e-mail header?
6. Explain how to handle attachments during an e-mail investigation.
7. Why are network router logs important during an e-mail investigation?

8. What kind of information is normally included in e-mail logs?
9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the
differences between .edb and .stm files.
10. Briefly explain how to use AccessData FTK to recover e-mails.

Chapter 13: Cell Phone and Mobile Device Forensics
TRUE/FALSE
1. Many people store more information on their cell phones than they do on their
computers.
PTS:

1

REF:

514

2. Investigating cell phones and mobile devices is a relatively easy task in digital
forensics.
PTS:

1

REF:

514

3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz)
frequency.
PTS:

1

REF:

516

4. Typically, phones developed for use on a GSM network are compatible with phones
designed for a CDMA network.
PTS:

1

REF:

516

5. Portability of information is what makes SIM cards so versatile.
PTS:

1

REF:

517

MULTIPLE CHOICE
1. Developed during WWII, this technology,____, was patented by Qualcomm after the
war.
a.

iDEN

c.

GSM

b.

CDMA

d.

EDGE

PTS:

1

REF:

515

2. The ____ digital network divides a radio frequency into time slots.
a.

TDMA

c.

FDMA

b.

CDMA

d.

EDGE

PTS:

1

REF:

515

3. The ____ network is a digital version of the original analog standard for cell phones.
a.

TDMA

c.

CDMA

b.

EDGE

d.

D-AMPS

PTS:

1

REF:

515

4. The ____ digital network, a faster version of GSM, is designed to deliver data.
a.

TDMA

c.

EDGE

b.

iDEN

d.

D-AMPS

PTS:

1

REF:

515

5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery
life.
a.

IS-136

c.

IS-236

b.

IS-195

d.

IS-361

PTS:

1

REF:

516

6. Typically, phones store system data in ____, which enables service providers to
reprogram phones without having to physically access memory chips.
a.

EROM

c.

EEPROM

b.

PROM

d.

ROM

PTS:

1

REF:

517

7. ____ cards are found most commonly in GSM devices and consist of a
microprocessor and from 16 KB to 4 MB of EEPROM.
a.

SD

c.

SDD

b.

MMC

d.

SIM

PTS:

1

REF:

517

8. ____ can still be found as separate devices from mobile phones. Most users carry
them instead of a laptop to keep track of appointments, deadlines, address books, and
so forth.
a.

SDHCs

c.

CFs

b.

PDAs

d.

MMCs

PTS:

1

REF:

518

9. The file system for a SIM card is a ____ structure.
a.

volatile

c.

hierarchical

b.

circular

d.

linear

PTS:

1

REF:

520

10. The SIM file structure begins with the root of the system (____).
a.

EF

c.

DF

b.

MF

d.

DCS

PTS:

1

REF:

520

11. Paraben Software is a leader in mobile forensics software and offers several tools,
including ____, which can be used to acquire data from a variety of phone models.
a.

BitPim

c.

MOBILedit!

b.

DataPilot

d.

Device Seizure

PTS:

1

REF:

522

12. In a Windows environment, BitPim stores files in ____ by default.
a.

My
Documents\BitPim

c.

My
Documents\BitPim\
Forensics Files

b.

My
Documents\Forensi
cs Files\BitPim

d.

My
Documents\BitPim\
Files

PTS:

1

REF:

522

13. ____ is a forensics software tool containing a built-in write blocker.
a.

GSMCon

c.

SIMedit

b.

MOBILedit!

d.

3GPim

PTS:

1

REF:

522

COMPLETION
1. So far, there have been three generations of mobile phones: analog, digital personal
communications service (PCS), and ____________________.
2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by
the ______________________.
3. Global System for Mobile Communications (GSM) uses the
______________________ technique, so multiple phones take turns sharing a
channel.
4. The 3G standard was developed by the ______________________ under the United
Nations.
5. Mobile devices can range from simple phones to small computers, also called
______________________.
MATCHING
Match each item with a statement below:
a.

CDMA

c.

EDGE

b.

iDEN

d.

ROM

1. proprietary protocol developed by Motorola
2. nonvolatile memory
3. standard developed specifically for 3G
4. one of the most common digital networks, it uses the full radio frequency spectrum to
define channels

SHORT ANSWER
1. What is some of the information that can be stored in a cell phone?
2. What is the bandwidth offered by 3G mobile phones?
3. What are the three main components used for cell phone communications?
4. Briefly describe cell phone hardware.
5. Identify several uses of SIM cards.
6. Identify and define three kinds of peripheral memory cards used with PDAs.
7. How can you isolate a mobile device from incoming signals?
8. What are the four categories of information that can be retrieved from a SIM card?
9. What is the general procedure to access the content on a mobile phone SIM card?
10. What are some of the features offered by SIMCon?

Chapter 14: Report Writing for High-Tech Investigations
TRUE/FALSE
1. Besides presenting facts, reports can communicate expert opinion.
PTS:

1

REF:

530

2. A verbal report is more structured than a written report.
PTS:

1

REF:

532

3. If you must write a preliminary report, use words such as “preliminary copy,”“draft
copy,” or “working draft.”
PTS:

1

REF:

535

4. As with any research paper, write the report abstract last.
PTS:

1

REF:

536

5. When writing a report, use a formal, technical style.
PTS:

1

REF:

537

MULTIPLE CHOICE
1. Attorneys can now submit documents electronically in many courts; the standard
format in federal courts is ____.
a.

Microsoft Word
(DOC)

c.

Encapsulated
Postscript (EPS)

b.

Portable Document
Format (PDF)

d.

Postscript (PS)

PTS:

1

REF:

531

2. A(n) ____ is a document that lets you know what questions to expect when you are
testifying.
a.

written report

c.

examination plan

b.

affidavit

d.

subpoena

PTS:

1

REF:

532

3. You can use the ____ to help your attorney learn the terms and functions used in
computer forensics.
a.

verbal report

c.

final report

b.

preliminary report

d.

examination plan

PTS:

1

REF:

532

4. A written report is frequently a(n) ____ or a declaration.
a.

subpoena

c.

deposition

b.

affidavit

d.

perjury

PTS:

1

REF:

532

5. If a report is long and complex, you should provide a(n) ____.
a.

appendix

c.

table of contents

b.

glossary
PTS:

1

REF:

d.

abstract

536

6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false
swearing statute).
a.

written report

c.

examination plan

b.

verbal report

d.

cross-examination
report

PTS:

1

REF:

532

7. In the past, the method for expressing an opinion has been to frame a ____ question
based on available factual evidence.
a.

hypothetical

c.

challenging

b.

nested

d.

contradictory

PTS:

1

REF:

533

8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in
many states.
a.

705

c.

805

b.

755

d.

855

PTS:

1

REF:

534

9. Remember that anything you write down as part of your examination for a report is
subject to ____ from the opposing attorney.
a.

subpoena

c.

publishing

b.

discovery

d.

deposition

PTS:

1

REF:

535

10. A written preliminary report is considered a ____ document because opposing counsel
can demand discovery on it.
a.

low-risk

c.

high-risk

b.

middle-risk

d.

no-risk

PTS:

1

REF:

535

11. The abstract should be one or two paragraphs totaling about 150 to ____ words.
a.

200

c.

300

b.

250

d.

350

PTS:

1

REF:

536

12. ____ provide additional resource material not included in the body of the report.
a.

Conclusion

c.

Discussion

b.

References

d.

Appendixes

PTS:

1

REF:

536

13. Typically, report writers use one of two numbering systems: decimal numbering or
____ numbering.
a.

legal-sequential

c.

arabic-sequential

b.

roman-sequential

d.

letter-sequential

PTS:

1

REF:

538

14. A report using the ____ numbering system divides material into sections and restarts
numbering with each main section.
a.

roman-sequential

c.

legal-sequential

b.

decimal

d.

indent

PTS:

1

REF:

538

15. In the main section of your report, you typically cite references with the ____
enclosed in parentheses.
a.

year of publication and author’s last name

b.

author’s last name

c.

author’s last name and year of publication

d.

year of publication
PTS:

1

REF:

541

16. Save broader generalizations and summaries for the report’s ____.
a.

appendixes

c.

conclusion

b.

introduction

d.

discussion

PTS:

1

REF:

541

17. The report’s ____ should restate the objectives, aims, and key questions and
summarize your findings with clear, concise statements.
a.

abstract

c.

introduction

b.

conclusion

d.

reference

PTS:

1

REF:

541

18. If necessary, you can include ____ containing material such as raw data, figures not
used in the body of the report, and anticipated exhibits.
a.

conclusions

c.

references

b.

discussions

d.

appendixes

PTS:

1

REF:

542

19. Reports and logs generated by forensic tools are typically in plaintext format, a word
processor format, or ____ format.
a.

PDF

c.

PS

b.

HTML

d.

TXT

PTS:

1

REF:

543

20. Files with extensions .ods and ____ are created using OpenOffice Calc.
a.

.sxc

c.

.dcx

b.

.xls

d.

.qpr

PTS:

1

REF:

543

21. Files with extension ____ are created using Microsoft Outlook Express.
a.

.sxc

c.

.dbx

b.

.doc

d.

.ods

PTS:

1

REF:

543

COMPLETION
1. Lawyers use services called _________________________ (libraries), which store

examples of expert witnesses’ previous testimony.

2. The report body consists of the introduction and _________________________
sections.
3. When writing a report, _________________________ means the tone of language
you use to address the reader.
4. _________________________ assist readers in scanning the text quickly by
highlighting the main points and logical development of information.
5. The ______________________________ system is frequently used when writing
pleadings.
MATCHING
Match each item with a statement below
a.

Decimal numbering

f.

Verbal report

b.

Lay witness

g.

Spoliation

c.

FTK

h.

Conclusion section

d.

Examination plan

i.

MD5

e.

Signposts

1. draw reader’s attention to a point in your report.
2. a report layout system
3. used by an attorney to guide an expert witness in his or her testimony
4. computer forensics software tool
5. lawyers jargon for destroying or concealing evidence
6. stands for Message Digest 5
7. typically takes place in an attorney’s office where the attorney requests your
consultant’s report
8. starts by referring to the report’s purpose, states the main points, draws conclusions,
and possibly renders an opinion

9. a witness testifying to personally observed facts

SHORT ANSWER
1. What are the report requirements for civil cases as specified on Rule 26, FRCP?
2. Briefly explain how to limit your report to specifics.
3. What are the areas of investigation usually addressed by a verbal report?
4. Explain how hypothetical questions can be used to ensure that you as a witness are
basing your opinion on facts expected to be supported by evidence.
5. What are the four conditions required for an expert witness to testify to an opinion or
conclusion?
6. What is the basic structure of a report?
7. Provide some guidelines for writing an introduction section for a report.
8. What do you need to consider to produce clear, concise reports?

9. Explain how to use supportive material on a report.
10. How should you explain examination and data collection methods?
Chapter 15: Expert Testimony in High-Tech Investigations
TRUE/FALSE
1. As an expert witness, you have opinions about what you have found or observed.
PTS:

1

REF:

558

2. Create a formal checklist of your procedures that’s applied to all your cases or include
such a checklist in your report.

PTS:

1

REF:

559

3. As a standard practice, collect evidence and record the tools you used in designated
file folders or evidence containers.
PTS:

1

REF:

559

4. Like a job resume, your CV should be geared for a specific trial.
PTS:

1

REF:

561

5. Part of what you have to deliver to the jury is a person they can trust to help them
figure out something that’s beyond their expertise.
PTS:

1

REF:

565

MULTIPLE CHOICE
1. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a.

2

c.

4

b.

3

d.

5

PTS:

1

REF:

558

2. When you give ____ testimony, you present this evidence and explain what it is and
how it was obtained.
a.

technical/scientific

c.

lay witness

b.

expert

d.

deposition

PTS:

1

REF:

558

3. Validate your tools and verify your evidence with ____ to ensure its integrity.
a.

hashing algorithms

c.

steganography

b.

watermarks

d.

digital certificates

PTS:

1

REF:

559

4. For forensics specialists, keeping the ____ updated and complete is crucial to
supporting your role as an expert and showing that you’re constantly enhancing your
skills through training, teaching, and experience.
a.

testimony

c.

examination plan

b.

CV

d.

deposition

PTS:

1

REF:

561

5. If your CV is more than ____ months old, you probably need to update it to reflect
new cases and additional training.
a.

2

c.

4

b.

3

d.

5

PTS:

1

REF:

561

6. ____ is a written list of objections to certain testimony or exhibits.
a.

Defendant

c.

Plaintiff

b.

Empanelling the
jury

d.

Motion in limine

PTS:

1

REF:

562

7. Regarding a trial, the term ____ means rejecting potential jurors.
a.

voir dire

c.

strikes

b.

rebuttal

d.

venireman

PTS:

1

REF:

563

8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s
allowed to cover an issue raised during cross-examination.
a.

Rebuttal

c.

Closing arguments

b.

Plaintiff

d.

Opening statements

PTS:

1

REF:

563

9. If a microphone is present during your testimony, place it ____ to eight inches from
you.
a.

3

c.

5

b.

4

d.

6

PTS:

1

REF:

565

10. Jurors typically average just over ____ years of education and an eighth-grade reading
level.
a.

9

c.

11

b.

10
PTS:

1

d.
REF:

12

565

11. ____ is an attempt by opposing attorneys to prevent you from serving on an important
case.
a.

Conflict of interest

c.

Deposition

b.

Warrant

d.

Conflicting out

PTS:

1

REF:

568

12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability.
a.

Rebuttal

c.

Inculpatory

b.

Plaintiff

d.

Exculpatory

PTS:

1

REF:

569

13. You provide ____ testimony when you answer questions from the attorney who hired
you.
a.

direct

c.

examination

b.

cross

d.

rebuttal

PTS:

1

REF:

569

14. The ____ is the most important part of testimony at a trial.
a.

cross-examination

c.

rebuttal

b.

direct examination

d.

motions in limine

PTS:

1

REF:

569

15. Generally, the best approach your attorney can take in direct examination is to ask you
____ questions and let you give your testimony.
a.

setup

c.

compound

b.

open-ended

d.

rapid-fire

PTS:

1

REF:

569

16. Leading questions such as “Isn’t it true that forensics experts always destroy their
handwritten notes?” are referred to as ____ questions.

a.

hypothetical

c.

setup

b.

attorney

d.

nested

PTS:

1

REF:

570

17. Sometimes opposing attorneys ask several questions inside one question; this practice
is called ____ questions.
a.

leading

c.

compound

b.

hypothetical

d.

rapid-fire

PTS:

1

REF:

571

18. A ____ differs from a trial testimony because there is no jury or judge.
a.

rebuttal

c.

civil case

b.

plaintiff

d.

deposition

PTS:

1

REF:

573

19. There are two types of depositions: ____ and testimony preservation.
a.

examination

c.

direct

b.

discovery

d.

rebuttal

PTS:

1

REF:

573

20. Discuss any potential problems with your attorney ____ a deposition.
a.

before

c.

during

b.

after

d.

during direct
examination at

PTS:

1

REF:

574

21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and
seeks evidence in your testimony on a subject for which it’s contemplating making a
rule.
a.

administrative

c.

legislative

b.

judicial

d.

direct

PTS:

1

REF:

575

COMPLETION
1. The ______________________ of evidence supports the integrity of your evidence.
2. Depending on your attorney’s needs, you might provide only your opinion and
technical expertise to him or her instead of testifying in court; this role is called a(n)
_______________________.

3. _____________________ is a pretrial motion to exclude certain evidence because it
would prejudice the jury.
4. At a trial, _____________________ are statements that organize the evidence and
state the applicable law.
5. The purpose of the _____________________ is for the opposing attorney to preview
your testimony before trial.
MATCHING
Match each item with a statement below
a.

Plaintiff

f.

CV

b.

Motion in limine

g.

Testimony
preservation
deposition

c.

Voir dire of
venireman

h.

Voir dire

d.

Opening statements

i.

MD5

e.

Discovery
deposition

1. part of the discovery process for trial
2. presents the case during a trial
3. provide an overview of the case during a trial
4. questioning potential jurors to see whether they’re qualified
5. usually requested by your client to preserve your testimony in case of schedule
conflicts or health problems

6. a hashing algorithm
7. lists your professional experience
8. an expert witness qualification phase
9. allows the judge to decide whether certain evidence should be admitted when the jury
isn’t present

SHORT ANSWER
1. What are the differences between a technical or scientific witness and an expert
witness?
2. What should you do when preparing for testimony?
3. What are some of the questions you should consider when preparing your testimony?
4. What are some of the technical definitions that you should prepare before your
testimony?
5. What are some of the reasons to avoid contact with news media during a case?
6. What are the procedures followed during a trial?
7. What should you do when you find exculpatory evidence?
8. How can you deal with rapid-fire questions during a cross-examination?
9. Explain the differences between discovery deposition and testimony preservation
deposition.
10. Briefly describe judicial hearings.
Chapter 16: Ethics for the Expert Witness
TRUE/FALSE

1. People need ethics to help maintain their balance, especially in difficult and
contentious situations.
PTS:

1

REF:

596

2. In the United States, there’s no state or national licensing body for computer forensics
examiners.
PTS:

1

REF:

597

3. Experts should be paid in full for all previous work and for the anticipated time
required for testimony.
PTS:

1

REF:

600

4. Expert opinions cannot be presented without stating the underlying factual basis.
PTS:

1

REF:

601

5. The American Bar Association (ABA) is a licensing body.
PTS:

1

REF:

603

MULTIPLE CHOICE
1. The most important laws applying to attorneys and witnesses are the ____.
a.

professional codes
of conduct

c.

rules of evidence

b.

rules of ethics

d.

professional ethics

PTS:

1

REF:

597

2. Computer forensics examiners have two roles: scientific/technical witness and ____
witness.
a.

expert

c.

discovery

b.

direct

d.

professional

PTS:

1

REF:

597

3. Attorneys search ____ for information on expert witnesses.
a.

disqualification
banks

c.

examination banks

b.

deposition banks

d.

cross-examination
banks

PTS:

1

REF:

598

4. ____ questions can give you the factual structure to support and defend your opinion.
a.

Setup

c.

Rapid-fire

b.

Compound

d.

Hypothetical

PTS:

1

REF:

601

5. FRE ____ describes whether the expert is qualified and whether the expert opinion
can be helpful.
a.

702

c.

704

b.

703

d.

705

PTS:

1

REF:

601

6. FRE ____ describes whether basis for the testimony is adequate.
a.

700

c.

702

b.

701

d.

703

PTS:

1

REF:

601

7. The ABA’s ____ contains provisions limiting the fees experts can receive for their
services.
a.

Code 703

c.

Rule 26

b.

Model Code

d.

Code 26-1.a

PTS:

1

REF:

603

8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of
loyalty to their clients.
a.

ISFCE

c.

ABA

b.

IACIS

d.

HTCIA

c.

Chemical engineers

PTS:

1

REF:

603

9. ____ are the experts who testify most often.
a.

Civil engineers

b.

Computer forensics
experts
PTS:

1

REF:

d.

Medical
professionals

604

10. ____ offers the most comprehensive regulations of any professional organization and
devote an entire section to forensics activities.
a.

AMA’s law

c.

APA’s Ethics Code

b.

ABA’s Model Rule

d.

ABA’s Model
Codes

PTS:

1

REF:

605

11. The ____ Ethics Code cautions psychologists about the limitations of assessment
tools.
a.

ABA’s

c.

AMA’s

b.

APA’s

d.

ADA’s

PTS:

1

REF:

605

COMPLETION
1. _____________________ are the rules you internalize and use to measure your
performance.
2. _____________________ are standards that others apply to you or that you are
compelled to adhere to by external forces, such as licensing bodies.

3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing
counsel from hiring them; this practice is called “____________________.”
4. The ____________________ is the foundation of medical ethics.
5. For psychologists, the most broadly accepted set of guidelines governing their
conduct as experts is the _____________________ (APA’s) Ethical Principles of
Psychologists and Code of Conduct.
MATCHING

Match each item with a statement below:
a.

Ethics

c.

Disqualification

b.

Federal Rules of
Evidence (FRE)

d.

IACIS

1. provides a well-defined, simple guide for expected behavior of computer forensics
examiners
2. prescribe the methods by which experts appear at trial
3. one of the effects of violating court rules or laws
4. help you maintain your self-respect and the respect of your profession

SHORT ANSWER
1. Briefly describe the issues related to an attorney’s “opinion shopping.”
2. What are some of the factors courts have used in determining whether to disqualify an
expert?
3. Describe some of the traps for unwary experts.
4. What are some of the most obvious ethical errors?
5. What are some of the guidelines included in the ISFCE code of ethics?
6. What are some of the requirements included in the HTCIA core values?
7. What are some of standards for IACIS members that apply to testifying?
8. What are the five recommendations set out by the AMA’s policy on expert witness
testimony?
9. Why is it difficult to enforce any professional organization’s ethical guidelines?
10. What are the ethical responsibilities owed to you by your attorney?

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close