1) IACIS (international association of computer investigation specialist) & FLECT (federal law enforcement training centre)2) False3) Fourth Amendment4) Vulnerability assessment, intrusion response, and investigation5) Internet Pornography, Espionage, Abuse of Internet Properties6) False: As long as the company has a security banner7) To allow you the ability to cultivate professional relationships with people who specialize in technical area different from your own specialty.8) Any of the above9) An organization has the right to monitor what end users do, and their e-mail is not personal and can be monitored.10) True11) False12) Espionage & email harassment 13) Professional conduct includes ethics, morals, and standards of behaviour. It can affect your credibility.14) It helps you remember what procedures were followed if the case ever goes to court. It can also be a used as a reference if you need to remember how you solved a previous problem.15) Still being established16) To reduce conflicts from competing interests among organizations or departments and to avoid starting investigations based on organizational/ departmental gains or jealousy.17) To provide a sworn statement of support of facts about evidence of a crime this is submitted to a judge with the request for a search warrant before seizing evidence.18) The affidavit is a sworn statement of support of facts about or evidence of a crime which is submitted to a judge with the request for a search warrant before seizing evidence. This includes exhibits (evidence) that support the allegation to justify the warrant. The affidavit is then notarized under sworn oath to verify that the information in the affidavit is true. The affidavit, the warrant, and return of service are basically the order of the procedure.

Chapter 21) Talk to others involved in the case and ask about the incident. Determine whether law enforcement or company security officers already seized the computer evidence. Determine whether the computer was used to commit a crime or contains evidence about the crime.2) Determine the OS of the suspect computer. List the necessary software to use for the examination.3) Case number, name of the investigator assigned to the case, nature of the case, location where evidence was obtained, description of the evidence, and so on.4) Identify the risks as in having a set amount of things that can or normally will happen. Who is the user? What type of equipment?5) False - because other investigators or persons involved in the case might alter something in the evidence.6) True - protects computer or digital equipment safe from static electricity and damaging the evidence.7) Only the investigators in the group.8) Hostile work environment caused by inappropriate Internet use. Sending harassing e-mail messages9) To ensure that data isnt altered10) An explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools.11) To improve your work. Self-evaluation is an essential part of professional growth. The critique allows you to identify successful decisions and actions and determine how you could have improved your performance.12) Chain of custody. 13) The acquisition officer gives the documentation of the items the investigating officers collected with computer, including the list of storage media. The acquisition officer also notes the computer and the OS running when it was running and photographs all open windows. Crime Scene Security Log, initial perimeter, inner/outer perimeter if necessary, protect items of evidentiary value. Documentation of items the investigating officers collected with computer to include list of storage media, removable disk, photograph computer setup, and take pictures of the computer screen if the computer is on.14) Disgruntled employee, embarrass management power struggle between corporations premature release of info on new products.15) An interrogation is trying to get a suspect to confess. An interview is getting info from a witness. Sometimes a witness is questioning might lose their credibility and turns into a suspect.16) When conducting an ACP attorney client privilege you must keep all findings confidential.17) 1) memorandum 2) list of key words of interest to the investigation 3) compare bash values 4) BIT STREAM IMAGING 5) documentation private legal18) False

Chapter 41) To preserve the digital evidence.2) Raw Format, Proprietary Formats, Advance Forensic Format3) fast data transfers and capability to ignore minor data read errors on the source drive, Requires as much storage space as the original disk or that it might not collect marginal (bad) sectors on the source drive.4) to compress or not to compress, Capability to split an image into smaller segmented files, Capability to integrate metadata into the image file ( date and time , hash values).5) Expert Witness Format6) EnCase, SafeBack, and SnapCopy.7) only specific files of interest to the case8) fragments of unallocated data in addition to the logical allocated data9) size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located10) There is no limit to the size of data you can write to magnetic tape.11) when the suspect computer can't be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence.12) to ensure at least one good copy of the forensically collected data in case of any failures13) determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location14) If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.15) Newer Linux distributions automatically mount the USB device, which could alter data on it.16) FalseThe correct command is dcfldd if=/dev/hda1 of=image_file.img17) Validation18) A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk19) md5sum and sha1sum20) hash=, hashlog=, and vf=21) 2 GB (a limitation of FAT file systems)22) 1) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate drives23) False(They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.)24) a. Data transfer speedsb. Access permissions over the networkc. Antivirus, antispyware, and firewall programs25) ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.26) ServLet27) PDServer28) DiskExplorer for NTFS or DiskExplorer for FAT29) False30) TCP/IP and serial RS232 port31) EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response32) True33) True34) False 35)