1. What is the first common task when handling evidence?
Answer: In any investigation, your initial task is to identify the evidence you need for your case. In fact, you’ll want to begin your efforts by making a complete photographic survey of the surroundings to document where and when you identified items worthy of investigation.
2. Which type of hardware is seldom of interest to an investigation?
Answer: Any hardware that does not include built-in storage of some kind – including such things as keyboards, mice, and monitors – cannot provide evidence in an investigation. Thus, it will seldom be of interest to an investigation, either, beyond its role in establishing that a particular person used a computer (such as fingerprints or DNA evidence from a mouse or keyboard, for example).
3. When attempting to prove that an individual used a computer, what clues might computer hardware provide?
Answer: Computer hardware points you to other sources of evidence. For example, if a scanner is hooked up to a suspect computer, you should expect to find a repository of scanned documents on the computer. Often a computer that an individual uses will store dated files that explicitly illustrate a person’s use of that machine (such as e-mail, web cookies, browsing history files, temporary files, and so forth).
4. In addition to hard disk drives, where else might data containing evidence reside?
Answer: Evidence can be found anywhere and everywhere. Some additional sources may include keyboard, mouse, touchpad, CD-ROM/DVD drive, laptop case, scanner lids, mobile device cradle (especially its buttons and switches), keyboard-video-monitor (KVM) switches, game controller, media storage units (CD/DVDs, tape, floppy cases, and drawers), and much more. Even a keyboard, mouse, or touchpad can provide evidence that a particular user must have touched a specific computer (although such devices, being without RAM or other storage, cannot usually provide more information than that).
5. Should handwritten notes be considered in a computer forensic investigation?
Answer: Yes. Handwritten notes are a type of documentary evidence. As with other forms of evidence, handwritten notes may also lead to other sources to continue searching for evidence.
6. What is the primary concern in evidence collection and handling?
Answer: The main concern of evidence collection and preservation is to ensure that absolutely no changes have been made to the evidence since it was collected. Preservation is ensured by logging all access to and use of evidentiary materials, and showing that those materials were properly handled at all times. This is also known as maintaining the chain of custody.
7. Can you analyze a system that is intact and running?
Answer: Live systems can be analyzed with the help of computer forensic software suites that enable you to take a snapshot of the entire system, including memory and disks, while it is still running.
8. What happens when a PDA’s battery runs down?
Answer: When the power runs out on a PDA, the data is lost.
9. What device prohibits any changes to a hard disk drive?
Answer: You can use a write-blocking device to prevent changes to a hard disk drive. Likewise, software write blockers can also prevent any type of write access to storage devices as well.
10. How can you prove that you made no changes to a disk drive during analysis?
Answer: By creating a hash upon first inspection of a disk drive as a potential source of evidence, and creating a hash after your inspection of it, you can prove that no changes were made to the evidence during the investigation. If the present hash value and the original hash value match, this is proof positive that no changes were made to the contents of the disk drive.