Name: ________________________ Class: ___________________ Date: __________

ID: A

SampleFinal
True/False Indicate whether the statement is true or false. ____ ____ 1. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. 2. Part of what you have to deliver to the jury is a person they can trust to help them figure out something thats beyond their expertise. 3. People need ethics to help maintain their balance, especially in difficult and contentious situations. 4. In the United States, theres no state or national licensing body for computer forensics examiners.

____ ____

Multiple Choice Identify the choice that best completes the statement or answers the question. ____ 5. ____ are devices and/or software placed on a network to monitor traffic. a. Packet sniffers c. Hubs b. Bridges d. Honeypots 6. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. a. client/server architecture c. client architecture b. central distribution architecture d. peer-to-peer architecture 7. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. a. command-line c. prompt-based b. shell-based d. GUI 8. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. a. .ost c. .msg b. .eml d. .pst 9. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. a. Continuous logging c. Circular logging b. Automatic logging d. Server logging

____

____

____

____

____ 10. Exchange logs information about changes to its data in a(n) ____ log. a. checkpoint c. transaction b. communication d. tracking ____ 11. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. a. legal-sequential c. arabic-sequential b. roman-sequential d. letter-sequential

Name: ________________________

ID: A

____ 12. In the main section of your report, you typically cite references with the ____ enclosed in parentheses. a. year of publication and authors last name b. authors last name c. authors last name and year of publication d. year of publication ____ 13. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific c. lay witness b. expert d. deposition ____ 14. ____ evidence is evidence that exonerates or diminishes the defendants liability. a. Rebuttal c. Inculpatory b. Plaintiff d. Exculpatory Completion Complete each statement. 15. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message. 16. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________. 17. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel. 18. When writing a report, _________________________ means the tone of language you use to address the reader. 19. The ______________________________ system is frequently used when writing pleadings. 20. The ______________________ of evidence supports the integrity of your evidence. 21. Depending on your attorneys needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________. 22. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies. Matching Match each item with a statement below: a. CDMA b. iDEN ____ 23. nonvolatile memory

c. d.

EDGE ROM

Name: ________________________

ID: A

____ 24. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

Match each item with a statement below

a. b. c. d. e. Plaintiff Motion in limine Voir dire Opening statements Discovery deposition f. g. h. i. CV Testimony preservation deposition Voir dire MD5

____ 25. presents the case during a trial ____ 26. provide an overview of the case during a trial ____ 27. questioning potential jurors to see whether theyre qualified ____ 28. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems ____ 29. lists your professional experience ____ 30. allows the judge to decide whether certain evidence should be admitted when the jury isnt present Short Answer 31. How should you proceed if your network forensic investigation involves other companies? 32. What are some of the tools included with Knoppix STD? 33. Why are network router logs important during an e-mail investigation? 34. What are some of the features offered by SIMCon? 35. What is the basic structure of a report? 36. Provide some guidelines for writing an introduction section for a report. 37. What are some of the factors courts have used in determining whether to disqualify an expert?

ID: A

SampleFinal Answer Section

TRUE/FALSE 1. 2. 3. 4. ANS: ANS: ANS: ANS: T T T T PTS: PTS: PTS: PTS: 1 1 1 1 REF: REF: REF: REF: 489 565 596 597

MULTIPLE CHOICE 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: A A D D C C A C A D PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 454 469 472 483 485 489 538 541 558 569

COMPLETION 15. ANS: Reply to PTS: 1 REF: 482 16. ANS: third-generation (3G) third-generation 3G 3G (third-generation) PTS: 1 REF: 515 17. ANS: Time Division Multiple Access (TDMA) Time Division Multiple Access TDMA TDMA (Time Division Multiple Access) PTS: 1 18. ANS: style PTS: 1 REF: 516

REF: 537

ID: A 19. ANS: legal-sequential numbering PTS: 1 REF: 539 20. ANS: chain of custody PTS: 1 REF: 559 21. ANS: consulting expert PTS: 1 REF: 560 22. ANS: Codes of professional conduct or responsibility PTS: 1 MATCHING 23. ANS: D 24. ANS: A 25. 26. 27. 28. 29. 30. ANS: ANS: ANS: ANS: ANS: ANS: A D C G F B PTS: 1 PTS: 1 PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 REF: 517 REF: 515 REF: REF: REF: REF: REF: REF: 563 563 563 573 561 562 REF: 596

SHORT ANSWER 31. ANS: As with all investigations, keep preservation of evidence in mind. Your investigation might turn up other companies that have been compromised. In much the same way you wouldnt turn over proprietary company information to become public record, you shouldnt reveal information discovered about other companies. In these situations, the best course of action is to contact the companies and enlist their aid in tracking down network intruders. Depending on the situation, at some point you might have to report the incident to federal authorities. PTS: 1 REF: 449 TOP: Critical Thinking

ID: A 32. ANS: A few of the Knoppix STD tools include the following: * dcflddThe U.S. DOD computer forensics lab version of the dd command * memfetchForces a memory dump * photorecRetrieves files from a digital camera * snortA popular IDS that performs packet capture and analysis in real time ( www.snort.org) * oinkmasterHelps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms * johnThe latest version of John the Ripper, a password cracker * chntpwEnables you to reset passwords on aWindows computer, including the administrator password * tcpdump and etherealPacket sniffers PTS: 1 REF: 451 TOP: Critical Thinking 33. ANS: Network administrators maintain logs of the inbound and outbound traffic routers handle. Routers have rules to allow or deny traffic based on source or destination IP address. In most cases, a router is set up to track all traffic flowing through its ports. Using these logs, you can resolve the path a transmitted e-mail has taken. The network administrator who manages routers can supply the log files you need. Review the router logs to find the victims (recipients) e-mail, and look for the unique ID number. PTS: 1 REF: 484 TOP: Critical Thinking 34. ANS: SIMCons features include the following: * Reads files on SIM cards * Analyzes file content, including text messages and stored numbers * Recovers deleted text messages * Manages PIN codes * Generates reports that can be used as evidence * Archives files with MD5 and SHA-1 hash values * Exports data to files that can be used in spreadsheet programs * Supports international character sets PTS: 1 REF: 522 TOP: Critical thinking 35. ANS: A report usually includes the sections shown in the following list, although the order varies depending on organizational guidelines or case requirements: * Abstract * Table of contents * Body of report * Conclusion * References * Glossary * Acknowledgements * Appendixes PTS: 1 REF: 535|536 TOP: Critical Thinking

ID: A 36. ANS: The introduction should state the reports purpose and show that you are aware of its terms of reference. You should also state any methods used and any limitations and indicate how the report is structured. Its important to justify why you are writing the report, so make sure you answer the question What is the problem?You should also give readers a map of what youre delivering. Introduce the problem, moving from broader issues to the specific problem, finishing the introduction with the precise aims of the report (key questions). Craft this introduction carefully, setting up the processes you used to develop the information in logical order. Refer to relevant facts, ideas, and theories as well as related research by other authors. PTS: 1 REF: 536 TOP: Critical Thinking 37. ANS: Factors courts have used in determining whether to disqualify an expert include the following: * Whether the attorney informed the expert that their discussions were confidential * Whether the expert reviewed materials marked as confidential or attorney work product * Whether the expert was asked to sign a confidentiality agreement * Number of discussions held over a period of time * The type of documents that were reviewed (publicly filed or confidential) * The type of information conveyed to the expertwhether it included general or specific data or included confidential information, trial strategies, plans for method of proof, and so forth * The amount of time involved in discussions or meetings between the expert and attorney * Whether the expert provided the attorney with confidential information * Whether the attorney formally retained the expert * Whether the expert voiced concerns about being retained * Whether the expert was requested to perform services for the attorney * Whether the attorney compensated the expert PTS: 1 REF: 599 TOP: Critical Thinking

SampleFinal [Answer Strip]

_____ C 12. _____ A 24.

ID: A

_____ T 1. _____ T 2.

_____ A 13.

D 14. _____ _____ 3. T T _____ 4.

_____ A 25. _____ D 26. _____ C 27. _____ G 28. F 29. _____ _____ B 30.

_____ A 5.

A _____ 6.

_____ D 7.

_____ D 8.

_____ C 9.

C 10. _____

_____ A 11. _____ D 23.