Guide to Computer Forensics and Investigations, 4th Edition, 1435498836 Ch. 5 Solutions-1 Chapter 5 Solutions Review Questions 1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used. 2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False? True 3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False? True 4. As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. 5. The plain view doctrine in computer searches is well-established law. True or False? False 6. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) a. Coordinate with the HAZMAT team. c. Assume the suspect computer is contaminated. 7. What are the three rules for a forensic hash? It can’t be predicted, no two files can have the same hash value, and if the file changes, the hash value changes. 8. In forensic hashes, a collision occurs when ____________________. two files have the same hash value 9. List three items that should be in an initial-response field kit. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm camera, evidence log forms, notebook or dictation recorder, computer evidence bags (antistatic bags), evidence labels, tape, and tags, permanent ink marker, USB drives or large portable hard drive 10. When you arrive at the scene, why should you extract only those items you need to acquire evidence? to minimize how much you have to keep track of at the scene 11. Computer peripherals or attachments can contain DNA evidence. True or False? True Guide to Computer Forensics and Investigations, 4th Edition, 1435498836 Ch. 5 Solutions-2 12. If a suspect computer is running Windows 2000, which of the following can you perform safely? a. Browsing open applications 13. Describe what should be videotaped or sketched at a computer crime scene. Computers, cable connections, overview of scene—anything that might be of interest to the investigation 14. Which of the following techniques might be used in covert surveillance? a. Keylogging b. Data sniffing 15. Commingling evidence means what in a corporate setting? sensitive corporate information being mixed with data collected as evidence 16. Identify two hashing algorithms commonly used for forensic purposes. MD5 and SHA-1 17. Small companies rarely need investigators. True or False? False 18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False? True 19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? initial-response field kit 20. You should always answer questions from onlookers at a crime scene. True or False? False Hands-on Projects Hands-On Project 5-1 Students’ answers should address the number of times ISPs have taken the challenge to court and what rulings have resulted. The ACLU is a great source of information, as is eWeek. They should also find references to a program called Carnivore, which is used by the government. Hands-On Project 5-2 Students’ answers should include the following: State that they have contacted their immediate management and legal department to inform them of the facts stated in the project description. List the steps they have taken to preserve and secure the evidence. Include not becoming agents of law enforcement. State that it was a company policy violation investigation that uncovered the criminal finding. Guide to Computer Forensics and Investigations, 4th Edition, 1435498836 Ch. 5 Solutions-3 Hands-On Project 5-3 Students’ answers should include the following: The time they found the powered-on computer and what applications were running The content of each active screen A decision on how they should terminate the active application or the entire computer (whether the student decides to kill power to the computer or perform an orderly shutdown is optional) A detailed list of steps they took to secure physical evidence at the crime scene (for example, videotape or photograph all aspects of the scene) How they tagged evidence and how they plan to inventory (such as using a spreadsheet or written log) Make sure students supply answers with justification on how they terminated the suspect’s computer. They must state why they took that specific action and what justified the action. For example, if students decide to kill power to the computer, they must state that the Web browser was on a generic Web page, such as an ISP’s home page. If they decide to perform an orderly shutdown, they need to state the reason, such as the Web browser was connected to an FTP site and it appears that data was being transferred to the remote site. Optional: Have an open discussion with students on different applications that might lose data while connected to the Internet if power to the computer is shut down. Hands-On Project 5-4 The hash values should be different. Hands-On Project 5-5 The hash values should not be different because the file didn’t change--only the file extension was altered. Case Projects Case Project 5-1 In this case, students are getting evidence secondhand and aren’t in control of the acquisition. They need to emphasize where things could have gone wrong before the evidence was turned over to them. They need to find out who did the search and seizure, where the chain of custody form is, who acquired the drive image, and what forensic tool was used. Case Project 5-2 Students should outline the steps for coordinating with the company’s Investigation Department to preserve evidence while they collect enough information for probable cause to obtain a search warrant. Second, for a company with no internal Investigation Department, students should outline how they coordinate with company management to preserve evidence. Make sure students’ answers don’t violate Fourth Amendment rights and don’t cause the company and employees Guide to Computer Forensics and Investigations, 4th Edition, 1435498836 Ch. 5 Solutions-4 assisting in the investigation to become agents of law enforcement. Students should keep in mind that there might be resistance to releasing computers or allowing police to have access to proprietary information. Case Project 5-3 Students’ answers should include what to tell the informant to do in providing the evidence. They should also outline the steps in obtaining a warrant so that evidence can be seized properly. Make sure students’ answers include specific instructions to the informant on writing a statement or an affidavit describing what he witnessed and preserving any evidence supporting his claim. Case Project 5-4 Students’ answers should include detailed instructions on how the spouse should report the crime to school administrators and outline how the school’s administrators can inspect the computer under guidance from the school district’s Legal Department. An independent investigator can’t simply walk in and acquire a drive image without the employer’s permission, so taking this action wouldn’t preserve the integrity of the evidence. Make sure students’ answers include an explanation of what’s needed for probable cause and state that rumors without collaborative evidence are insufficient to file a police complaint. Case Project 5-5 Students’ answers should include a list of forensic tools and supplies (such as those listed in Table 5-1) needed to preserve magnetic media at the alleged crime scene. Their plans should consider preserving data through external communications, such as telephones and cable connections to the Internet. Make sure students list recording devices, such as video recorders, and evidence forms and tags.