Guide to Computer Forensics and Investigations, 4th Edition, 1435498836
Ch. 5
Solutions-1
Chapter 5 Solutions
Review Questions
1.
Corporate investigations are typically easier than law enforcement investigations for
which of the following reasons?
a. Most companies keep inventory databases of all hardware and software used.
2.
In the United States, if a company publishes a policy stating that it reserves the right
to inspect computing assets at will, a corporate investigator can conduct covert
surveillance on an employee with little cause. True or False?
True
3.
If you discover a criminal act, such as murder or child pornography, while
investigating a corporate policy abuse, the case becomes a criminal investigation and
should be referred to law enforcement. True or False?
True
4.
As a corporate investigator, you can become an agent of law enforcement when
which of the following happens? (Choose all that apply.)
a. You begin to take orders from a police detective without a warrant or subpoena.
b. Your internal investigation has concluded, and you have filed a criminal complaint and
turned over the evidence to law enforcement.
5.
The plain view doctrine in computer searches is well-established law. True or False?
False
6.
If a suspect computer is located in an area that might have toxic chemicals, you must
do which of the following? (Choose all that apply.)
a. Coordinate with the HAZMAT team.
c. Assume the suspect computer is contaminated.
7.
What are the three rules for a forensic hash?
It can’t be predicted, no two files can have the same hash value, and if the file changes, the
hash value changes.
8.
In forensic hashes, a collision occurs when ____________________.
two files have the same hash value
9.
List three items that should be in an initial-response field kit.
Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop
IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect
external bay, flashlight, digital camera or 35mm camera, evidence log forms, notebook or
dictation recorder, computer evidence bags (antistatic bags), evidence labels, tape, and tags,
permanent ink marker, USB drives or large portable hard drive
10. When you arrive at the scene, why should you extract only those items you need to
acquire evidence?
to minimize how much you have to keep track of at the scene
11. Computer peripherals or attachments can contain DNA evidence. True or False?
True
Guide to Computer Forensics and Investigations, 4th Edition, 1435498836
Ch. 5
Solutions-2
12. If a suspect computer is running Windows 2000, which of the following can you
perform safely?
a. Browsing open applications
13. Describe what should be videotaped or sketched at a computer crime scene.
Computers, cable connections, overview of scene—anything that might be of interest to the
investigation
14. Which of the following techniques might be used in covert surveillance?
a. Keylogging
b. Data sniffing
15. Commingling evidence means what in a corporate setting?
sensitive corporate information being mixed with data collected as evidence
16. Identify two hashing algorithms commonly used for forensic purposes.
MD5 and SHA-1
17. Small companies rarely need investigators. True or False?
False
18. If a company doesn’t distribute a computing use policy stating an employer’s right to
inspect employees’ computers freely, including e-mail and Web use, employees have
an expectation of privacy. True or False?
True
19. You have been called to the scene of a fatal car crash where a laptop computer is still
running. What type of field kit should you take with you?
initial-response field kit
20. You should always answer questions from onlookers at a crime scene. True or False?
False
Hands-on Projects
Hands-On Project 5-1
Students’ answers should address the number of times ISPs have taken the challenge to court and
what rulings have resulted. The ACLU is a great source of information, as is eWeek. They should
also find references to a program called Carnivore, which is used by the government.
Hands-On Project 5-2
Students’ answers should include the following:

State that they have contacted their immediate management and legal department to
inform them of the facts stated in the project description.

List the steps they have taken to preserve and secure the evidence.

Include not becoming agents of law enforcement.

State that it was a company policy violation investigation that uncovered the criminal
finding.
Guide to Computer Forensics and Investigations, 4th Edition, 1435498836
Ch. 5
Solutions-3
Hands-On Project 5-3
Students’ answers should include the following:

The time they found the powered-on computer and what applications were running

The content of each active screen

A decision on how they should terminate the active application or the entire computer
(whether the student decides to kill power to the computer or perform an orderly
shutdown is optional)

A detailed list of steps they took to secure physical evidence at the crime scene (for
example, videotape or photograph all aspects of the scene)

How they tagged evidence and how they plan to inventory (such as using a spreadsheet or
written log)
Make sure students supply answers with justification on how they terminated the suspect’s
computer. They must state why they took that specific action and what justified the action. For
example, if students decide to kill power to the computer, they must state that the Web browser
was on a generic Web page, such as an ISP’s home page. If they decide to perform an orderly
shutdown, they need to state the reason, such as the Web browser was connected to an FTP site
and it appears that data was being transferred to the remote site.
Optional: Have an open discussion with students on different applications that might lose data
while connected to the Internet if power to the computer is shut down.
Hands-On Project 5-4
The hash values should be different.
Hands-On Project 5-5
The hash values should not be different because the file didn’t change--only the file extension was
altered.
Case Projects
Case Project 5-1
In this case, students are getting evidence secondhand and aren’t in control of the acquisition.
They need to emphasize where things could have gone wrong before the evidence was turned over
to them. They need to find out who did the search and seizure, where the chain of custody form is,
who acquired the drive image, and what forensic tool was used.
Case Project 5-2
Students should outline the steps for coordinating with the company’s Investigation Department to
preserve evidence while they collect enough information for probable cause to obtain a search
warrant. Second, for a company with no internal Investigation Department, students should outline
how they coordinate with company management to preserve evidence. Make sure students’
answers don’t violate Fourth Amendment rights and don’t cause the company and employees
Guide to Computer Forensics and Investigations, 4th Edition, 1435498836
Ch. 5
Solutions-4
assisting in the investigation to become agents of law enforcement. Students should keep in mind
that there might be resistance to releasing computers or allowing police to have access to
proprietary information.
Case Project 5-3
Students’ answers should include what to tell the informant to do in providing the evidence. They
should also outline the steps in obtaining a warrant so that evidence can be seized properly. Make
sure students’ answers include specific instructions to the informant on writing a statement or an
affidavit describing what he witnessed and preserving any evidence supporting his claim.
Case Project 5-4
Students’ answers should include detailed instructions on how the spouse should report the crime
to school administrators and outline how the school’s administrators can inspect the computer
under guidance from the school district’s Legal Department. An independent investigator can’t
simply walk in and acquire a drive image without the employer’s permission, so taking this action
wouldn’t preserve the integrity of the evidence. Make sure students’ answers include an
explanation of what’s needed for probable cause and state that rumors without collaborative
evidence are insufficient to file a police complaint.
Case Project 5-5
Students’ answers should include a list of forensic tools and supplies (such as those listed in Table
5-1) needed to preserve magnetic media at the alleged crime scene. Their plans should consider
preserving data through external communications, such as telephones and cable connections to the
Internet. Make sure students list recording devices, such as video recorders, and evidence forms
and tags.