1. To preserve digital evidence, an investigator should ________. A. make two copies of each evidence item using a single imaging tool B. make a single copy of each evidence item using an approved imaging tool C. make two copies of each evidence item using different imaging tools D. store only the original evidence item

2. Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool?

A. A disk-imaging tool would check for internal self-checking and validation and have an MD5 checksum. B. The evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file. C. A simple DOS copy will not include deleted files, file slack, and other information. D. There is no case for an imaging tool because it will use a closed, proprietary format that if compared with the original will not match up sector for sector.

3. It takes ___________ occurrence(s) of overextending yourself during testimony to ruin your reputation. A. only one if it is a major case B. several C. only one D. at least two

4. The MD5 message-digest algorithm is used to ________. A. wipe magnetic media before recycling it B. make directories on an evidence disk C. view graphics files on an evidence drive D. hash a disk to verify that a disk is not altered when you examine it

5. You should make at least two bitstream copies of a suspect drive. A. True B. False

6. What is the purpose of hashing a copy of a suspect drive? A. To make it secure B. To remove viruses C. To check for changes D. To render it read-only

7. What is the most important reason that you not touch the actual original evidence any more than you have to? A. Each time you touch digital data, there is some chance of altering it. B. You might be accused of planting evidence. C. You might accidentally decrypt files. D. It can lead to data degradation.