1. T or F. You should always answer questions from on- lookers at a crime scene. 2. T or F. Computer peripherals or attachments can con- tain DNA
... [Show More] evidence. 3. T or F. The plain view doctrine in computer searches is well-established law. 4. T or F. If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforce- ment. 5. T or F. An initial-response field kit does not contain evidence bags. 6. List two hashing algorithms commonly used for foren- sic purposes. MD5 and AES MD5 and SHA-1 RSA and RC5 AES and SHA-2 7. T or F. Commingling evidence means that sensitive or confidential information being mixed with data col- lected as evidence. False True False True False MD5 and SHA-1 True 8. T or F. Small companies rarely need investigators. False 9. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? Extensive-response kit Initial-response kit Lightweight kit Car crash kit 10. T or F. In forensic hashes, a collision occur when two different files have the same hash value. Initial-response kit True 11. Which of the following techniques might be used in covert surveillance? Keylogging Data sniffing Network logs All of the above 12. As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective with- out a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above. 13. T or F. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. 14. T or F. You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. 15. If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the fol- lowing? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone. 16. When you arrive at the scene, why should you extract only those items you need to acquire evidence? All of the above You begin to take orders from a po- lice detective with- out a warrant or subpoena. True True Coordinate with the HAZMAT team. To minimize how much you have to To conceal trade secrets To preserver your physical security To speed up the acquisition process To minimize how much you have to keep track of at the scene keep track of at the scene 17. T or F. If a company doesn't distribute a computing use True policy stating an employer's right to inspect employ- ees' computers freely, including e-mail and Web use, employees have an expectation of privacy. 18. Private-sector investigations are typically easier than Most companies law enforcement investigations for which of the fol- lowing reasons? Most companies keep inventory databases of all hard- ware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines. 19. What are the three rules for a forensic hash? Fast, reliable, and the hash value should be at least 2048 bits Produce collisions, should be at least 2048 bits, and it can't be predicted It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes It can be predicted, fast and reliable keep inventory databases of all hardware and soft- ware used. It can't be predict- ed, no two files can have the same hash value, and if the file changes, the hash value changes [Show Less]