Chapter 4

What is the first common task when handling evidence?

Answer: Evidence identification must begin before you can begin the collection and analysis process.

Which type of hardware is never of interest to an investigation?

Answer: All hardware is of potential interest to your investigation.

When attempting to prove that an individual used a computer, what clues might computer hardware provide?

Answer: Fingerprints can directly relate a person with a computer.

In addition to hard disk drives , where else might data containing evidence reside?

Answer: Removable media is a common hiding place for data. People trying to hide data often equate port- ability with security.

Should handwritten notes be considered in a computer forensics investigation?

Answer: Yes. People naturally write notes of all kinds. You will likely find clues about how a person uses a computer by looking at the notes around it.

What is the primary concern in evidence collection and handling?

Answer: Preserving evidence and ensuring that it does not change after it is collected is the primary concern during collection and handling. Tainting evidence destroys credibility and makes evidence inadmissible in a court of law.

Can you analyze a system that is intact and running?

Answer: Yes, you can analyze it with specialized forensic tools.

What happens when a PDA's battery runs down?

Answer: When a PDA's battery runs down, all data stored in the PDA is lost.

What device prohibits any changes to a hard disk drive?

Answer: Write blockers (both hardware and software) stop all write operations that will change the contents of a drive.

How can you prove that you made no changes to a disk drive during analysis?

Answer: Create hash values before and after analysis, and then compare the two. If the hash values are the same, the images are the same.