CFA
What are examples of Technical
Steganography? - ANS Invisible Ink
Microdots,and computer based Methods.
What is digital evidence and what can happen if not handled correctly? - ANS digital evidence
as it is a chaotic form of evidence and it is critical to handle it correctly During the investigation,
it can be altered maliciously or unintentionally without leaving any traces Digital evidence is
circumstantial,
What should be done with all evidence from the crime scene, and why? - ANS It should be
analyzed and re-analyzed, in case it is used as evidence
What is the role of digital evidence in a case? - ANS Role of digital evidence is to establish a
credible link between the attacker, victim, and the crime scene.
What does it mean when digital evidence is Believable? - ANS The evidence in a clear and
comprehensible manner to the members of the jury. They must explain the facts clearly and
obtain an expert opinion on the same to confirm the investigation process.
What does it mean when digital evidence is Reliable? - ANS The evidence while maintaining a
record of the tasks performed during the process to prove that the evidence is dependable.
Forensic investigations must be conducted only on the copies of the evidence because the court
needs to have the original evidence for future reference.
What does it mean when digital evidence is Complete? - ANS It means the evidence must
either prove or disprove the consensual fact in the litigation. If the evidence fails to do so, the
court is liable to dismiss the case citing lack of strong evidence.
What does it mean when digital evidence is Authentic? - ANS Digital evidence must provide
supporting documents regarding the authenticity of the evidence with details such as source
and its relevance to the case. If necessary, they must also furnish details such as author of the
evidence or path of transmission.
What does it mean when digital evidence is Admissible? - ANS The digital evidence need to
present evidence in admissible manner, which means that it should be relevant to the case, act
in support of the client presenting it, and be well communicated and non-prejudiced
,What can lead to alteration or deletion of evidence? - ANS ▪ If the device is turned off the
computer before volitail data is saved.
▪ If the device is connected to the Internet.
▪ If the device is allowed to run programs.
▪ If data is overwritten.
What is volatile data? - ANS Volatile information is lost when power is removed from the
system. Volatile data can be easily modified or destroyed.
What makes up volatile data? - ANS Volatile data contains system time, logged-on user(s),
open files, network information, process information, process-to-port mapping, process memory,
clipboard contents, service/driver information, and command history.
What is Non-volatile Data? - ANS Non-volatile data is used for secondary storage and persists
for a longer term.
What makes up Non-Volatile Data? - ANS Non-volatile data contains hidden files, slack space,
a swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry
settings, and event logs.
What is Transient Data? - ANS This data contains programs that are in a running state but
deleted from the hard disk.
What makes up Transient Data? - ANS Transient data contains information such as open
network connections, user logout details, programs residing in memory, and cache data. If the
machine is turned off, all this information is lost permanently.
Why is Transient data important? - ANS even if a program is deleted from the hard disk while it
is still running, it still exists in the memory.
What is the Best Evidence Rule? - ANS that the court allows only the original evidence of any
document, photograph, or recording at a trial rather than a copy.
What are the exceptions of the Best Evidence Rule? - ANS ▪ Original evidence is destroyed
due to fire and flood.
▪ Original evidence is destroyed in the normal course of business.
▪ Original evidence is in possession of a third party.
What is the potential evidence for user-created files? - ANS Evidence of criminal activities or
verify the criminal's connection. Photographs can provide clues or be evidence of a crime
themselves, and email or documents might be evidence of communication between criminals or
with victims. Some types of evidence where you can obtain information of investigative value
include:
, What are examples of user-created files? - ANS o Address books
o Database files
o Audio or video files
o Documents or text files
o Image or graphics files
o Internet bookmarks or favorites
o Spreadsheet file
What are examples of computer-created files? - ANS o Backup files
o Log and configuration files
o Printer spool files
o Cookies
o Swap and Hidden files
o System files
o History and temporary files
What is the procedure for evidence assessment? - ANS Perform a detailed assessment by
reviewing the official agreement, search warrant, complete case detail, hardware and software
characteristics, probable evidence required, and the conditions near the acquisition of the
evidence to be examined.
While assessing the evidence, what should be done? - ANS ▪ Prioritize the evidence where
necessary: Location of evidence at the crime scene, Stability of media to be examined
▪ Establish how to document the evidence (e.g., photograph, sketch, notes).
▪ Evaluate storage locations for electromagnetic interference.
▪ Determine the state of the evidence after packaging, transport, or storage.
▪ Evaluate the necessity of providing unregulated power supply to battery-operated devices.
What helps in preparing for evidence acquisition? - ANS ▪ Impact of the computer crime
incident on the organization's business.
▪ A complete network topology diagram that shows affected computer systems and gives
complete information about how those computer systems are affected.
▪ Complete information of interviews with users and network or system administrators.
▪ Results of any legal or third-party interactions if involved.
▪ Complete report of outcomes of the tools used during the evidence assessment phase.
▪ A proposed course of action.
What should be done when handling digital evidence? - ANS ▪ Wear protective latex gloves for
all searching and seizing operations at the crime site.
▪ Store the electronic evidence in a secure area and weather-controlled environment.
▪ Use wireless StrongHold bags to block wireless signals from getting to the electronic devices.
▪ Avoid folding and scratching storage devices such as diskettes, DVD-ROMs, and tape drives.
▪ Pack the magnetic media in antistatic packaging.