1. What are two general ways in which computers are involved in security violations?
Answer: A computer can be used in the commission of crimes or in violation of policy. It can also be the target for an attack.
2. What is computer evidence?
Answer: Any computer hardware, software, or data that can be used to prove one or more of the five Ws and the H for a security incident—namely, who, what, when, where, why, and how.
3. What is an incident response team?
Answer: The incident response team (IRT) carries out internal investigations. IRT members are generally specially trained to identify and collect evidence to document and categorize incidents. In addition, team members must also be cognizant when incidents are crimes and require law enforcement involvement.
4. What is real evidence?
Answer: Real evidence is any physical objects you can actually bring into court and place on a table in front of a jury. Real evidence can be touched, held, or otherwise observed directly.
5. What is documentary evidence?
Answer: Documentary evidence is written evidence, such as printed reports, log files, database files, computer-based file data, and incident-specific files and reports that supply information about what happened.
6. What is demonstrative evidence?
Answer: Demonstrative evidence is evidence that is used to explain, illustrate, or recreate other evidence. Usually demonstrative evidence consists of some kind of visual aids and other illustrations.
7. What is a subpoena?
Answer: A subpoena is a court order that compels an individual or organization to surrender evidence.
8. What is a search warrant?
Answer: A search warrant is a court order that allows law enforcement to search and/or seize computer equipment without providing advance warning to its owner.
9. What is the chain of custody?
Answer: Chain of custody is a term used to describe careful documentation of all steps that evidence has taken from the time it is located at a crime scene to the time it is introduced in a courtroom. All steps include collection, transportation, analysis, and storage processes. All accesses to the evidence must be documented as well.
10. What is admissible evidence?
Answer: Admissible evidence is evidence that meets all regulatory and statutory requirements, and has been properly obtained and handled.