CISSP Prep- Legal And Investigations

1. What are the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information related to?

Privacy

Secrecy

Availability

Reliability

Privacy can be defi ned as “the rights and obligations of individuals
and organizations with respect to the collection, use, retention, and disclosure
of personal information.” Page 514.

Explanation

Privacy can be defi ned as “the rights and obligations of individuals
and organizations with respect to the collection, use, retention, and disclosure
of personal information.” Page 514.

2. Integrity of a forensic bit stream image is often determined by

Comparing hash totals to the original source

Keeping good notes

Taking pictures

Can never be proven

Ensuring the authenticity and integrity of evidence is critical.
If the courts feel the evidence or its copies are not accurate or lack integrity, it is
doubtful that the evidence or any information derived from the evidence will be
admissible. Th e current protocol for demonstrating authenticity and integrity relies
on hash functions that create unique numerical signatures that are sensitive to any

Explanation

Ensuring the authenticity and integrity of evidence is critical.
If the courts feel the evidence or its copies are not accurate or lack integrity, it is
doubtful that the evidence or any information derived from the evidence will be
admissible. Th e current protocol for demonstrating authenticity and integrity relies
on hash functions that create unique numerical signatures that are sensitive to any

3. Where does the greatest risk of cybercrime come from?

Outsiders

Nation-states

Insiders

Script kiddies

A word of caution is necessary: although the media has tended
to portray the threat of cybercrime as existing almost exclusively from the outside,
external to a company, reality paints a much diff erent picture. Th e greatest risk of
cybercrime comes from the inside, namely, criminal insiders. Page 520.

Explanation

A word of caution is necessary: although the media has tended
to portray the threat of cybercrime as existing almost exclusively from the outside,
external to a company, reality paints a much diff erent picture. Th e greatest risk of
cybercrime comes from the inside, namely, criminal insiders. Page 520.

4. What is not mentioned as a phase of an incident response?

Documentation

Prosecution

Containment

Investigation

Th e incident response and handling phase can be broken down
further into triage, investigation, containment, and analysis and tracking. Page 523.

Explanation

Th e incident response and handling phase can be broken down
further into triage, investigation, containment, and analysis and tracking. Page 523.

5. Which of the following is not one of the fi ve rules of evidence?

Be authentic

Be redundant

Be complete

Be admissible

At a more generic level, evidence should have some probative
value, be relevant to the case at hand, and meet the following criteria (often called
the fi ve rules of evidence): be authentic, be accurate, be complete, be convincing,
and be admissible. Page 531.

Explanation

At a more generic level, evidence should have some probative
value, be relevant to the case at hand, and meet the following criteria (often called
the fi ve rules of evidence): be authentic, be accurate, be complete, be convincing,
and be admissible. Page 531.

6. Computer forensics is really the marriage of computer science, information technology, and engineering with

Law

Information systems

Analytical thought

Th e scientifi c method

As a forensic discipline, this area deals with evidence and the
legal system and is really the marriage of computer science, information technology,
and engineering with law. Page 529.

Explanation

As a forensic discipline, this area deals with evidence and the
legal system and is really the marriage of computer science, information technology,
and engineering with law. Page 529.

7. Triage encompasses which of the following incident response subphases?

Collection, transport, testimony

Traceback, feedback, loopback

Detection, identification, notifi cation

Confi dentiality, integrity, availability

Triage is a process in incident response that involves quickly assessing and prioritizing the incidents. The correct answer, "Detection, identification, notification," accurately represents the subphases of triage. Detection refers to identifying the presence of an incident, identification involves determining the nature and scope of the incident, and notification involves informing the appropriate individuals or teams about the incident. These subphases are crucial in effectively responding to and managing incidents.

Explanation

Triage is a process in incident response that involves quickly assessing and prioritizing the incidents. The correct answer, "Detection, identification, notification," accurately represents the subphases of triage. Detection refers to identifying the presence of an incident, identification involves determining the nature and scope of the incident, and notification involves informing the appropriate individuals or teams about the incident. These subphases are crucial in effectively responding to and managing incidents.

8. What is the biggest hindrance to dealing with computer crime?

Computer criminals are generally smarter than computer investigators.

Adequate funding to stay ahead of the computer criminals.

Activity associated with computer crime is truly international.

Th ere are so many more computer criminals than investigators that it isimpossible to keep up.

Th e biggest hindrance to eff ectively dealing with computer
crime is the fact that this activity is truly international in scope, and thus requires
an international solution, as opposed to a domestic one based on archaic concepts
of borders and jurisdictions. Page 520.

Explanation

Th e biggest hindrance to eff ectively dealing with computer
crime is the fact that this activity is truly international in scope, and thus requires
an international solution, as opposed to a domestic one based on archaic concepts
of borders and jurisdictions. Page 520.

9. What principal allows us to identify aspects of the person responsible for a crime when, whenever committing a crime, the perpetrator takes something with him and leaves something behind?

Meyer’s principal of legal impunity

Criminalistic principals

IOCE/Group of 8 Nations principals for computer forensics

Locard’s principal of exchange

Locard’s principle of exchange states that when a crime is committed,
the perpetrators leave something behind and take something with them,
hence the exchange. Th is principle allows us to identify aspects of the persons
responsible, even with a purely digital crime scene. Page 530.

Explanation

Locard’s principle of exchange states that when a crime is committed,
the perpetrators leave something behind and take something with them,
hence the exchange. Th is principle allows us to identify aspects of the persons
responsible, even with a purely digital crime scene. Page 530.

10. Which type of intellectual property covers the expression of ideas rather than the ideas themselves?

Trademark

Patent

Copyright

Trade secret

A copyright covers the expression of ideas rather than the ideas
themselves; it usually protects artistic property such as writing, recordings, databases,
and computer programs. Page 512.

Explanation

A copyright covers the expression of ideas rather than the ideas
themselves; it usually protects artistic property such as writing, recordings, databases,
and computer programs. Page 512.

11. __________ emphasizes the abstract concepts of law and is infl uenced by the writings of legal scholars and academics.

Criminal law

Civil law

Religious law

Administrative law

Civil law emphasizes the abstract concepts of law and is infl uenced
by the writings of legal scholars and academics, more so than common law
systems. Page 509

Explanation

Civil law emphasizes the abstract concepts of law and is infl uenced
by the writings of legal scholars and academics, more so than common law
systems. Page 509

12. Which type of intellectual property protects the goodwill a merchant or vendor invests in its products?

Trademark

Patent

Copyright

Trade secret

Trademark laws are designed to protect the goodwill a merchant
or vendor invests in its products. Page 511.

Explanation

Trademark laws are designed to protect the goodwill a merchant
or vendor invests in its products. Page 511.

13. Which of the following is not a computer forensics model?

IOCE

SWGDE

MOM

ACPO

Like incident response, there are various computer forensics
guidelines (e.g., International Organization of Computer Evidence (IOCE),
Scientifi c Working Group on Digital Evidence (SWGDE), Association of Chief
Police Offi cers (ACPO)). Th ese guidelines formalize the computer forensic processes
by breaking them into numerous phases or steps. MOM stands for means,
opportunity, and motives. Page 529.

Explanation

Like incident response, there are various computer forensics
guidelines (e.g., International Organization of Computer Evidence (IOCE),
Scientifi c Working Group on Digital Evidence (SWGDE), Association of Chief
Police Offi cers (ACPO)). Th ese guidelines formalize the computer forensic processes
by breaking them into numerous phases or steps. MOM stands for means,
opportunity, and motives. Page 529.

14. Which of the following is not a category of software licensing?

Freeware

Commercial

Academic

End-user licensing agreement

Th ere are four categories of software licensing: freeware, shareware,
commercial, and academic. Within these categories, there are specifi c types
of agreements. Master agreements and end-user licensing agreements (EULAs) are
the most prevalent. Page 513.

Explanation

Th ere are four categories of software licensing: freeware, shareware,
commercial, and academic. Within these categories, there are specifi c types
of agreements. Master agreements and end-user licensing agreements (EULAs) are
the most prevalent. Page 513.

15. When dealing with digital evidence, the crime scene

Must never be altered

Must be completely reproducible in a court of law

Must exist in only one country

Must have the least amount of contamination that is possible

Given the importance of the evidence that is available at a
crime scene, the ability to deal with a scene in a manner that minimizes the amount
of disruption, contamination, or destruction of evidence. Once a scene has been contaminated,
there is no undo or redo button to push; the damage is done. Page 531.

Explanation

Given the importance of the evidence that is available at a
crime scene, the ability to deal with a scene in a manner that minimizes the amount
of disruption, contamination, or destruction of evidence. Once a scene has been contaminated,
there is no undo or redo button to push; the damage is done. Page 531.