4-Digital Evidences

1. _______________________is any information or data that can be confident or trusted and can prove
something related to a case trial, that is, indicating that a certain substance or condition is present.
Ans : Digital Evidence, evidence
2. _________________which has positive impact on the screen occurred, such as the information
supporting an incident.
Ans : Relevant evidence.
3. HDD,CD/DVD media, backup tapes, USB drive, biometric scanner, digital camera, smart phone,
smart card, PDA etc. are ________________________________________.
a. Physical evidence
b. Electronic evidence

4. Digital evidence may be in the form of _____________________

a. Email messages(may be deleted one also)

b. Office file
c. Deleted files of all kinds.
d. Encrypted file
e. Compressed files
f. Temp files
g. Recycle bin
h. Web history
i. Cache files
j. Cookies
k. Registry
l. Unallocated space
m. Slack space
n. Web/email server access logs
o. Domain access logs
5. Best Evidence Rule

Original copy of the document is considered as superior evidence.(such as any printout, data stored in a
computer or similar devices or any other output)

6.. Rules of Digital evidence(Law of Evidence)

The rules must be:

a. admissible
b. Authentic:
c. Complete
d. Reliable
e. believable
5. Types of Digital evidence

a. Illustrative evidence(demonstrative evidence) : photographs, videos, sound recording, x-rays,

maps, drawing, graphs , charts , simulations and model.

b. Electronic evidence: proofs obtained from electronic sources is called as digital evidence(email, hard
drives etc).

c. Documented evidence: it is same as demonstrative evidence. However here, the proof is presented in
writing like contracts, wills, invoices etc.
 d. Explainable evidence : It is used in criminal cases in which it supports the dependent.

e. Substantial evidence: A proof that is introduced in the form of a physical object, whether whole or in
part is referred to as substantial evidence. Also called physical evidence.

f. Testimonial(declaration) : It is the kind of evidence spoken by the spectator(viewer, watcher,

observer) under the oath, or written evidence given under the oath by an official declaration that ia
affidavit.

7. Characteristics of Digital evidence

1. Locard’s exchange principle: According to edmond locards’ principles, “when two items make contact,
there will be an interchange”. The Locard principle is often cited in forensic sciences and is relevant in
digital forensics investigations.

2. Digital stream of bits

cohen refers to digital evidence as a bag of bits, which in turn can be arranged in arrays to display the
information.

8. Evidence transfer in the physical and digital dimensions helps investigators establish connections
between ______________________________________________.
Ans : vitims, offenders and crime scense
9. Chain of custody is also referred as __________________
Ans : forensic link.
10. _________________is chronological documentation of electronic evidence.
Ans : Chain of custody
11. Chain of custody indicates __________________________________

• Ans :the collections, sequence of control, transfer and analysis.

12. _______________________ is important to preserve the integrity of the evidence and prevent it from
contaimination.
Ans : Chain of custody
13. Volatile evidence (Order of volatility )

a. Registers and cache

b. Routing tables
c. Arp cache
d. Process table
e. Kernel statistics and modules
f. Main memory
g. Temporary file system
h. Secondary memory
i. Router configuration
j. Network topology

14. The digital evidence are used to establish a credible link between _________

a. Attacker and victim and the crime scene

b. Attacker and the crime scene
c. Victim and the crime scene
d. Attacker and information
15. digital evidence must follow the requirement of the _________

a. Ideal evidence rule

b. Best evidence rule
c. Exchange rule
d. All of the mentioned
16. The evidences or proof that can be obtained from the electronic source is called the _________
a. digital evidence
b. Demonstrative evidence
c. Explainable evidence
d. Substantial evidence
17. Which of the following is not a type of volatile evidence

a. routing tables
b. Main memory
c. Log files
d. Cached data
18.A valid definition of digital evidence is:
a.Data stored or transmitted using a computer
b.Information of probative value
c.Digital data of probative value
d.Any digital evidence on a computer
19.What are the three general categories of computer systems that can
contain digital evidence?
a.Desktop, laptop, server
b.Personal computer, Internet, mobile telephone
c.Hardware, software, networks
d.Open computer systems, communication systems, embedded systems
20.In terms of digital evidence, a hard drive is an example of:
a.Open computer systems
b.Communication systems
c.Embedded computer systems
d.None of the above
21.In terms of digital evidence, a mobile telephone is an example of:
a.Open computer systems
b.Communication systems
c.Embedded computer systems
d.None of the above
22.In terms of digital evidence, a Smart Card is an example of:
a.Open computer systems
b.Communication systems
c.Embedded computer systems
d.None of the above
 23.In terms of digital evidence, the Internet is an example of:
a.Open computer systems
b.Communication systems
c.Embedded computer systems
d.None of the above

24.Computers can be involved in which of the following types of crime?

a.Homicide and sexual assault
b.Computer intrusions and intellectual property theft
c.Civil disputes
d.All of the above
25.A logon record tells us that, at a specific time:
a.An unknown person logged into the system using the account
b.The owner of a specific account logged into the system
c.The account was used to log into the system
d.None of the above
26.Cybertrails are advantageous because:
a.They are not connected to the physical world.
b.Nobody can be harmed by crime on the Internet.
c.They are easy to follow.
d.Offenders who are unaware of them leave behind more clues than they otherwise would
have.
27.Private networks can be a richer source of evidence than the Internet because:
a.They retain data for longer periods of time.
b.Owners of private networks are more cooperative with law enforcement.
c.Private networks contain a higher concentration of digital evidence.
d.All of the above.
28.Due to caseload and budget constraints, often computer security professionals attempt
to limit the damage and close each investigation as quickly as possible. Which of the
following is NOT a significant drawback to this approach?
a.Each unreported incident robs attorneys and law enforcement personnel of an opportunity to
learn about the basics of computer-related crime.
b.Responsibility for incident resolution frequently does not reside with the security
professional, but with management.
c.This approach results in under-reporting of criminal activity, deflating statistics that are used to
allocate corporate and government spending on combating computer-related crime.
d.Computer security professionals develop loose evidence processing habits that can make it
more difficult for law enforcement personnel and attorneys to prosecute an offender.
29.The criminological principle which states that, when anyone, or anything, enters a
crime scene he/she takes something of the scene with him/her, and leaves something of
himself/herself behind, is:
a.Locard’s Exchange Principle
b.Differential Association Theory
c.Beccaria’s Social Contract
d.None of the above
30.The author of a series of threatening e-mails consistently uses “im” instead of “I’m.”
This is an example of:
a.An individual characteristic
b.An incidental characteristic
c.A class characteristic
d.An indeterminate characteristic
31.Personal computers and networks are often a valuable source of evidence. Those
involved with _______ should be comfortable with this technology.
a.Criminal investigation
b.Prosecution
c.Defense work
d.All of the above
32.An argument for including computer forensic training computer security specialists is:
a.It provides an additional credential.
b.It provides them with the tools to conduct their own investigations.
c.It teaches them when it is time to call in law enforcement.
d.None of the above.
33.Digital evidence is only useful in a court of law.
a.True
b.False
34.Attorneys and police are encountering progressively more digital evidence in their
work.
a.True
b.False
35.Video surveillance can be a form of digital evidence.
a.True
b.False
36.All forensic examinations should be performed on the original digital evidence.
a.True
b.False
37.Digital evidence can be duplicated exactly without any changes to the original data.
a.True
b.False
38.Computers were involved in the investigations into both World Trade Center attacks.
a.True
b.False
39.Computer professionals who take inappropriate actions when they encounter child
pornography on their employer’s systems can lose their jobs or break the law.
a.True
b.False
40.Digital evidence is always circumstantial.
a.True
b.False
41.Digital evidence alone can be used to build a solid case.
a.True
b.False
42.Automobiles have computers that record data such as vehicle speed, brake status, and
throttle position when an accident occurs.
a.True
b.False
43.Computers can be used by terrorists to detonate bombs.
a.True
b.False
44.The aim of a forensic examination is to prove with certainty what occurred.
a.True
b.False
45. Even digital investigations that do not result in legal action can benefit from
principles of forensic science.
a.True
b.False
46. Forensic science is the application of science to investigation and prosecution of
crime or to the just resolution of conflict.
a. True
b. False
47. When a file is deleted from a hard drive, it can often be recovered.
a. True
b. False
48.Computers can play the following roles in a crime:
a.Target, object, and subject
b.Evidence, instrumentality, contraband, or fruit of crime
c.Object, evidence, and tool
d.Symbol, instrumentality, and source of evidence
49.The first US law to address computer crime was:
a.Computer Fraud and Abuse Act (CFAA)
b.Florida Computer Crime Act
c.Computer Abuse Act
d.None of the above
50.The following specializations exist in digital investigations:
a.First responder (a.k.a. digital crime scene technician)
b.Forensic examiner
c.Digital investigator
d.All of the above
51.The first tool for making forensic copies of computer storage media was:
a.EnCase
b.Expert Witness
c.dd
d.Safeback
52.One of the most common approaches to validating forensic software is to:
a.Examine the source code
b.Ask others if the software is reliable
c.Compare results of multiple tools for discrepancies
d.Computer forensic tool testing projects
53.An instrumentality of a crime is:
a.An instrument used to commit a crime
b.A weapon or tool designed to commit a crime
c.Anything that plays a significant role in a crime
d.All of the above
54.Contraband can include:
a.Child pornography
b.Devices or programs for eavesdropping on communications
c.Encryption devices or applications
d.All of the above
55.A cloned mobile telephone is an example of:
a.Hardware as contraband or fruits of crime
b.Hardware as an instrumentality
c.Information as contraband or fruits of crime
d.Information as evidence
56.Digital photographs or videos of child exploitation is an example of:
a.Hardware as contraband or fruits of crime
b.Hardware as an instrumentality
c.Hardware as evidence
d.Information as contraband or fruits of crime
57.Stolen bank account information is an example of:
a.Hardware as contraband or fruits of crime
b.Information as contraband or fruits of crime
c.Information as an instrumentality
d.Information as evidence
58.A network sniffer program is an example of:
a.Hardware as contraband or fruits of crime
b.Hardware as an instrumentality
c.Information as an instrumentality
d.Information as evidence
59.Computer equipment purchased with stolen credit card information is an example of:
a.Hardware as contraband or fruits of crime
b.Hardware as an instrumentality
c.Hardware as evidence
d.Information as contraband or fruits of crime
60.A printer used for counterfeiting is an example of:
a.Hardware as contraband or fruits of crime
b.Hardware as an instrumentality
c.Hardware as evidence
d.Information as contraband or fruits of crime
61.Phone company records are an example of:
a.Hardware as contraband or fruits of crime
b.Information as contraband or fruits of crime
c.Information as an instrumentality
d.Information as evidence
62.In the course of conducting forensic analysis, which of the following actions are
carried out?
a.Critical thinking
b.Fusion
c.Validation
d.All of the above
63.A single crime can fall into more than one of the following categories: hardware or
information as evidence, instrumentality, and contraband or fruits of crime.
a.True
b.False
64.The American Society of Crime Laboratory Directors (ASCLD) is the only group to
establish guidelines for how digital evidence is handled in crime labs.
a.True
b.False
65.The NIST Computer Forensic Tool Testing Project has identified all bugs in all
forensic hardware and software.
a.True
b.False
66.A network can be an instrumentality of a crime.
a.True
b.False
67.There is a general agreement as to the meaning of the term “computer crime.”
a.True
b.False
68.Contraband is property that the private citizen is not permitted to possess.
 a.True
b.False
69.The main reason for seizing contraband or fruits of crime is to prevent and deter
future crimes.
a.True
b.False
70.A computer can be considered instrumentality because it contained a file that detailed
the growing characteristics of marijuana plants.
a.True
b.False
71.The US Computer Assistance Law Enforcement Act (CALEA) that took effect in
2000 compels telephone companies to keep detailed records of their customers’ calls for
up to three years.
a.True
b.False
72.When a computer contains only a few pieces of digital evidence, investigators are
authorized to collect the entire computer.
a.True
b.False
73.When a computer is used to forge documents or break into other computers, it is the
subject of the crime.
a.True
b.False
74.A flatbed scanner used to digitize child pornography can be considered in both the
hardware as instrumentality and hardware as evidence categories.
a.True
b.False
75.The terms “forensic examination” and “forensic analysis” are the same, and can be
used interchangeably.
a.True
b.False
76.The distinction between a computer as the object and subject of a crime is useful
from an investigative standpoint because it relates to the intent of the offender.
a.True
b.False
77.Network sniffer software is illegal to possess, and therefore is considered contraband.
a.True
b.False
78. The process of documenting the seizure of digital evidence and, in particular,
when that evidence changes hands, is known as:
a.Chain of custody
b.Field notes
c.Interim report
d.None of the above
79. The term “computer contaminant” refers to:
a.Excessive dust found inside the computer case
b.Viruses, worms, and other malware
c.Spam e-mails
d.Nigerian scam e-mails
80. Hacking is an example of:
a.Computer-assisted crime
b.Computer-related crime
c.Computer-integrity crime
d.Computer malfeasance crime