Guide to Computer Forensics and Investigations 5th Edition Bill Nelson Amelia Phillips Christopher Steuart- Test Bank

​

• What type of computing investigation service is needed for your organization?
• Who are the potential customers for this service, and how will it be budgeted—as an
internal operation (police department or company security department, for instance) or
an external operation (a for-profit business venture)?
• How will you advertise your services to customers?
• What time-management techniques will you use?
• Where will the initial and sustaining budget for business operations come from?

​

• Appoint a key custodian who’s responsible for distributing keys.
• Stamp sequential numbers on each duplicate key.
• Maintain a registry listing which key is assigned to which authorized person.
• Conduct a monthly audit to ensure that no authorized person has lost a key.
• Take an inventory of all keys when the custodian changes.
• Place keys in a lockable container accessible only to the lab manager and designated
key custodian.
• Maintain the same level of security for keys as for evidence containers.
• Change locks and keys annually; if a key is missing, replace all associated locks and
the key.
• Do not use a master key for several locks.

​

• How many digital forensics examiners will you need?
• How much training will each examiner require per year, and what are the estimated costs?
• Will you need more than one lab?
• How many digital forensics examiners will use each lab? Will there be a need to accommodate other nonexaminers temporarily to inspect recovered evidence?
• What are the costs to construct a secure lab?
• Is there a suitable room that can be converted into a lab?
• Does the designated room have enough electrical power and heating, ventilation, and air-conditioning (HVAC) systems?
• Does the designated room have existing phone lines and network cables? If not, how much will it cost to install these items?
• Is there an adequate lock on the designated room’s door?
• What will the furniture costs be?
• Will you need to install an alarm system?
• Are there any other facility costs, such as fees for janitorial services and facility maintenance services?
• If IT support is needed, how many hours of support are estimated?

​

​• Inspect the lab’s ceiling, floor, roof, and exterior walls at least once a month, looking
for anything unusual or new.
• Inspect doors to make sure they close and lock correctly.
• Check locks to see whether they need to be replaced or changed.
• Review visitor logs to see whether they’re being used properly.
• Review log sheets for evidence containers to determine when they have been opened
and closed.
• At the end of every workday, secure any evidence that’s not being processed on a
forensic workstation.

• ​Business records, including those of a public agency
• Certain public records and reports
• Evidence of the absence of a business record or entry
• Learned treatises used to question an expert witness
• Statement of the absence of a public record or entry

• ​The officer is where he or she has a legal right to be.
• Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars.
• Any discovery must be by chance.

​

A keyed hash set is created by an encryption utility’s secret key. You can use the secret key to create a unique hash value for a file. Although a keyed hash set can’t identify files as nonkeyed hash methods can, it can produce a unique hash set for digital evidence.

​

After you discover illegal activity and document and report the crime, stop your investigation to make sure you don’t violate Fourth Amendment restrictions on obtaining evidence. If the information you supply is specific enough to meet the criteria for a search warrant, the police are responsible for obtaining a warrant that requests any new evidence. If you follow police instructions to gather additional evidence without a search warrant after you report a crime, you run the risk of becoming an agent of law enforcement. Instead, consult with your corporate attorney on how to respond to a police request for information. The police and prosecutor should issue a subpoena for any additional new evidence, which minimizes your exposure to potential civil liability. In addition, you should keep all documentation of evidence collected to investigate an internal company policy violation.

1. Assign one person, if possible, to collect and log all evidence. Minimize the number of people handling evidence to ensure its integrity.
2. Ta​g all the evidence you collect with the current date and time, serial numbers or unique features, make and model, and name of the person who collected it.
3. Maintain two separate logs of collected evidence to be reconciled for audit control purposes and to verify everything you have collected.
4. Maintain constant control of the collected evidence and the crime or incident scene.

• Know all aspects of the system being seized and searched.
• Direct investigators on how to handle sensitive media and systems to prevent damage.
• Help ensure security of the scene.
• Help document the planning strategy for the search and seizure.
• Conduct ad hoc training for investigators on the technologies and components being seized and searched.
• Document activities during the search and seizure.
• Help conduct the search and seizure.

1. Copy all image files to a large drive.
2. Start your forensics tool to access and open the image files.
3. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash.
4. When you finish copying image files to a larger drive, secure the original media in an evidence locker. Don’t work with the original media; it should be stored in a locker that has an evidence custody form. Be sure to fill out the form and date it.

​

• CDs​
• DVDs
• DVD-Rs
• DVD+Rs
• DVD-RWs