Computer Forensics

1/12/2015

Principles of Computer Security: Security+ and Beyond

Answers to Chapter 23 Review
Key Terms Quiz
1. Evidence collected in violation of the Fourth Amendment of the United States
Constitution, the Electronic Communications Privacy Act (ECPA), or other aspects of the
United States Code may not be admissible to a court under the terms of the
____________________.
Answer: Exclusionary rule
2. Evidence that is legally qualified and reliable is ____________________.
Answer: Competent evidence
3. Documents, verbal statements, and material objects admissible in a court of law are
called ____________________.
Answer: Evidence
4. The rule whereby courts prefer original evidence rather than a copy to ensure that no
alteration of the evidence (whether intentional or unintentional) has occurred is termed
the ____________________.
Answer: Best evidence rule
5. Evidence that is convincing or measures up without question is ____________________.
Answer: Sufficient evidence
6. ____________________ is the preservation, identification, documentation, and
interpretation of computer data to be used in legal proceedings.
Answer: Forensics
7. ____________________ is evidence that is material to the case or has a bearing on the
matter at hand.
Answer: Relevant evidence

256978646.doc

Computer Forensics

1/12/2015

8. ____________________ is the unused space on a disk drive when a file is smaller than
the allocated unit of storage.
Answer: Slack space
9. ____________________ is oral testimony or other evidence that proves a specific fact
(such as an eyewitness's statement, fingerprint, photo, and so on). The knowledge of the
facts is obtained through the five senses of the witness. There are no inferences or
presumptions.
Answer: Direct evidence
10. ____________________ is the remaining sectors of a previously allocated file that are
available for the operating system to use.
Answer: Free space

Multiple-Choice Quiz
1. Which of the following correctly defines evidence as being competent?
A.)

The evidence is material to the case or has a bearing on the matter at hand.

B.)

The evidence is presented in the form of business records, printouts, or other

items.

C.)

The evidence is convincing or measures up without question.

D.)

The evidence is legally qualified and reliable.

Answer: D. Answer A is the definition of relevant. Answer B is the definition of

documentary evidence. Answer C is the definition of sufficient.
2. Which of the following correctly defines evidence as being relevant?
A.)

The evidence is material to the case or has a bearing on the matter at hand.

B.)

The evidence is presented in the form of business records, printouts, or other

items.

C.)

The evidence is convincing or measures up without question.

D.)

The evidence is legally qualified and reliable.

256978646.doc

Computer Forensics

1/12/2015

Answer: A. Answer B is the definition of documentary evidence. Answer C is the

definition of sufficient. Answer D is the definition of competent.
3. Which of the following correctly defines documentary evidence?
A.)

Evidence in the form of business records, printouts, manuals, and other items

B.)

The knowledge of these facts is obtained through the five senses of the witness.

C.)

Used to aid the jury and may be in the form of a model, experiment, chart, or
other item and be offered to prove an event occurred

D.)

Physical evidence that links the suspect to the scene of a crime

Answer: A. Answer B is the definition of direct evidence. Answer C is the definition of

demonstrative evidence. Answer D is the definition of real evidence.
4. Which of the following correctly defines real evidence?
A.)

The evidence is convincing or measures up without question.

B.)

The evidence is material to the case or has a bearing on the matter at hand.

C.)

Used to aid the jury and may be in the form of a model, experiment, chart, or
other item and be offered to prove an event occurred.

D.)

Tangible objects that prove or disprove a fact.

Answer: D. Answer A is the definition of sufficient. Answer B is the definition of

relevant. Answer C is the definition of demonstrative evidence.
5. Which of the following correctly defines the hearsay rule?
A.)

The evidence is legally qualified and reliable.

B.)

Tangible objects that prove or disprove a fact.

C.)

Evidence not gathered from the personal knowledge of the witness.

D.)

Evidence in the form of business records, printouts, manuals, or other items.

Answer: C. Answer A is the definition of competent. Answer B is the definition of real

evidence. Answer D is the definition of documentary evidence.
6. Which of the following is the LEAST rigorous investigative method?

256978646.doc

Computer Forensics

1/12/2015

A.)

Using a dedicated forensic workstation.

B.)

Verifying software on suspect system and using that software for the
investigation.

C.)

Examining the suspect system using its software without verification.

D.)

Boot suspect system with verified floppy, CD, kernel, and tools.

Answer: C. Answer A is the most rigorous method. Answers B and D are other methods
on the rigor spectrum.
7. Which of the following correctly defines slack space?
A.)

The space on a disk drive that is occupied by the boot sector

B.)

The space located at the beginning of a partition

C.)

The remaining sectors of a previously allocated file that are available for the
operating system to use

D.)

The unused space on a disk drive when a file is smaller than the allocated unit of
storage (as in a sector)

Answer: D. Answers A and B are contrived definitions. Answer C is the definition of free
space.
8. Which of the following correctly describes the minimum contents of an evidence control
log book?
A.)

Description, Investigator, Case # Date, Time, Location, Reason

B.)

Description, Investigator, Case # Date, Location, Reason

C.)

Description, Case # Date, Time, Location, Reason

D.)

Description, Coroner, Case # Date, Time, Location, Reason

Answer: A. Answers B, C, and D do not list minimum contents.

9. Which of the following correctly describes a message digest?
A.)

An algorithm that applies mathematical operations to a data stream to calculate a

unique number based on the information contained in the data stream

256978646.doc

Computer Forensics

1/12/2015

B.)

A method of verifying that data has been completely deleted from a disk

C.)

A method of overwriting data with a specified pattern of 1s and 0s on a disk

D.)

A method used to keep an index of all files on a disk

Answer: A. The other answers are contrived responses.

10. Which of the following correctly describes the chain of custody for evidence?
A.)

The evidence is convincing or measures up without question.

B.)

Accounts for all persons who handled or had access to a specific item of evidence.

C.)

Description, Investigator, Case # Date, Time, Location, Reason

D.)

The evidence is legally qualified and reliable.

Answer: B. Answer A is the definition of sufficient. Answer C describes the minimum

contents of an evidence control log book. Answer D is the definition of competent.
11. Which of the following correctly defines evidence as being sufficient?
A.)

The evidence is convincing or measures up without question.

B.)

The evidence is presented in the form of business records, printouts, and so on.

C.)

The evidence is material to the case or has a bearing on the matter at hand.

D.)

The evidence is legally qualified and reliable.

Answer: A. Answer B is the definition of documentary evidence. Answer C is the

definition of relevant evidence. Answer D is the definition of competent evidence.
12. Which of the following correctly defines the exclusionary rule?
A.)

Any evidence collected in violation of the Fourth Amendment is not admissible as

evidence.

B.)

The evidence consists of tangible objects that prove or disprove a fact.

C.)

The knowledge of the facts is obtained through the five senses of the witness.

D.)

The evidence is used to aid the jury and may be in the form of a model,
experiment, chart, or the like, offered to prove an event occurred.

256978646.doc

Computer Forensics

1/12/2015

Answer: A. Answer B is the definition of real evidence. Answer C is the definition of

direct evidence. Answer D is the definition of demonstrative evidence.
13. Which of the following correctly defines free space?
A.)

The unused space on a disk drive when a file is smaller than the allocated unit of
storage (such as a sector).

B.)

The space on a disk drive that is occupied by the boot sector.

C.)

The space located at the beginning of a partition.

D.)

The remaining sectors of a previously allocated file that are available for the
operating system to use.

Answer: D. Answer A is the definition of slack space. Answers B and C are contrived
definitions.
14. If you are investigating a computer incident, and you need to remove the disk drive from
a computer and replace it with a copy so the user doesn't know it has been exchanged,
how many copies of the disk should you make, and how should they be used?
A.)

Five copies: one is to replace the drive that will be removed; one is marked,
sealed, logged, and stored with the original, unmodified disk as evidence; one is
for file authentication; one is for analysis; and one is for holding message digests.

B.)

Three copies: one is to replace the drive that will be removed; one to be used for
file authentication; and one for analysis.

C.)

Four copies: one is to replace the drive that will be removed; one is marked,
sealed, logged, and stored with the original, unmodified disk as evidence; one is
for file authentication; and one is for holding message digests.

D.)

Four copies: one is to replace the removed drive; one is marked, sealed, logged,
and stored with the original, unmodified disk as evidence; one is for file
authentication; and one is for analysis.

Answer: D. The other answers are contrived responses.

15. Which of the following correctly defines the process of acquiring evidence?

256978646.doc

Computer Forensics

A.)

1/12/2015

Power down the system, dump the memory, create an image of the system, and
analyze the image.

B.)

Create an image of the system, analyze the image, dump the memory, and power
down the system.

C.)

Dump the memory, power down the system, create an image of the system, and
analyze the image.

D.)

Dump the memory, analyze the image, power down the system, and create an
image of the system.

Answer: C. The other answers are not in the correct order.

Essay Quiz
1. A supervisor has brought a confiscated computer to your office which was allegedly used
to view inappropriate material. He has asked you to look for evidence to support this
allegation. Because you work for a small company, you do not have an extra computer
you can dedicate to your analysis. How would you boot the system and begin forensic
analysis? Provide a reason for your method.
Answer: You should boot the suspect system with a verified floppy or CD, kernel, and
tools. This will prevent the operating system from modifying any files during its normal
boot process. This will also ensure that you are only using tools that have been verified
and thus do not contain Trojan horses or backdoors.
2. Explain why you should always search the free space and slack space if you suspect a
person has deliberately deleted files or information on a workstation that you are
analyzing.
Answer: Recall that when a user deletes a file, the file is not actually deleted. Only the
pointer in the file allocation table is deleted. The act of deleting the file merely removes
the pointer and marks the sector(s) holding the file as available for the operating system
to use. The actual data originally stored on the disk remains on the disk in either the slack
space or the free space which could still contain some of the deleted information.

256978646.doc

Computer Forensics

1/12/2015

3. You are a member of your company's computer incident response team and have been
called in after hours to investigate an attack in progress. The network engineers have
identified the attack as coming from a workstation in an office area of your company. The
attack is still in progress and needs to be terminated. You are in the office where the
workstation is located and the computer is on with the hard disk light flashing
occasionally. What steps would you take to terminate the attack and secure the computer
for later forensic analysis?
Answer: In this case, because the attack is still in progress and you know the source of the
attack as one of your own corporate computers, getting a memory image would be
invaluable during your investigation. If you pulled the plug on this workstation, you
would lose the information stored in memory. You should dump the memory before
unplugging this workstation. You would then be able to determine what processes were
running, their configurations, and so on. This type of information would be invaluable for
your investigation.
4. Due to some suspected illegal activities involving a company employee and their
company computer, a senior manager directed the company's workstation support
personnel to remove the hard disk from the workstation, copy the disk, and replace the
hard disk with the copy. The workstation support person entered the office after hours,
removed the hard disk, took it to his lab (which he shares with another person), imaged
the old drive onto a new drive, replaced the drive and then placed the original hard disk in
his desk drawer. He then locked the lab and went home for the night. How will this
evidence stand up in a court of law?
Answer: This incident could encounter legal problems because of a faulty chain of
custody. The worker did not properly mark, label, and secure the hard disk drive which
could be used as evidence. It would be very difficult to state that no unauthorized person
entered the lab. It is conceivable that during court proceedings, the worker could be asked
about how he could be sure that no one touched the disk drive because it was not properly
secured.
5. You have been asked by management to secure the laptop computer of an individual that
was just dismissed from the company under unfavorable circumstances. Pretend that your

256978646.doc

Computer Forensics

1/12/2015

own computer is the laptop that has been secured. Make the first entry in your log book
and describe how you would start this incident off correctly by properly protecting and
securing the evidence.
Answer: Your log should contain the information shown next. You should protect the
laptop by tagging it with your initials, date, and case number. You should protect it from
electromagnetic, mechanical, or physical damage. If possible, store it in a room with
minimal traffic, restricted access, camera monitoring, and entry-logging capabilities.
Item Description

Investigator

Case #

Date

Time

Location

Reason

Dell Inspiron laptop computer,

Smith

03-05

3 Nov 2003

0825

Room 621

Safekeeping

Serial number: 62Q3135

safe

Lab Projects
Lab Project 23.1
Use an MD5 or SHA-1 algorithm to obtain the hash value for a file of your choice. Record the
hash value. Change the file with a word processor or text editor. Obtain the hash value for the
modified file. Compare the result.
Answer: Running MD5 or SHA-1 on two different files should result in different hash values.
The following is an example of calculating the MD5 hash on two files named MD5_example.txt
and MD5_example_after_change.txt. The files contain text identical to their file names.
C:\>dir md*.*
Volume in drive C is LOCAL DISK
Volume Serial Number is 3C62-11DE
Directory of C:\
01/05/1999

04:03p

42,496 md5.exe

11/19/2003

11:45p

15 MD5_example.txt

11/19/2003

11:46p

28 MD5_example_after_change.txt

3 File(s)
0 Dir(s)

42,539 bytes
1,671,606,272 bytes free

C:\>md5 md5_example.txt
DFFB45394FC3452E796FD466B5A5F0F9

256978646.doc

Computer Forensics

1/12/2015

C:\>md5 md5_example_after_change.txt
2F023E53F27D8672E07D8E64E1728D36

Lab Project 23.2

In order to understand what information is stored on your computer, examine the contents of the
Temporary Internet Files folders on your own computer as described in the text. Review the file
names and examine the contents of a few of the files. Describe how this information could be
used as evidence of a crime.
Answer: This exercise should show the student just how much information about visited Web
sites is stored on the hard disk. Students will likely see a variety of graphics files which could
give some idea of the types of Web sites visited. If the computers owner were trying to cover his
tracks, he might delete the contents of these folders. All these files having been deleted might be
an indication that this person did not want you to know the Web sites they have visited.
Lab Project 23.3
Visit www.ietf.org/rfc/rfc1321.txt and compile the MD5 algorithm from the information
contained in Appendix A, Reference Implementation, from the Web site. Verify your results
with another version of MD5.
Answer: This project should help students understand in detail the MD5 algorithm. You could
now use your version of MD5, knowing that it contains no Trojan horses or backdoors. However,
students should remember that if they did not properly implement the algorithm and it contains
an error, their MD5 might not function properly.

10

256978646.doc