a. Audit methodology

b. System methodology

c. Forensic methodology

d. Criminal methodology

135. c. A forensic methodology is a process for the analysis of electronically stored data. The process must be completely documented to ensure that the integrity of the evidence is not questioned in court. The forensic methodology deals with technical evidence.

The audit methodology deals with reviewing business transactions and systems and reaching an opinion by an auditor. The phrases system methodology and criminal methodology have many meanings.

136. Which of the following is not a key factor in a crime warrant search?

a. Ownership

b. Occupancy

c. Possession

d. Purchase

136. d. A key fact in any search is ownership or rightful occupancy of the premises to be searched, and ownership or rightful possession of the items to be seized. Different search and seizure rules apply when the properties and premises are government or privately owned or leased. Purchase has nothing to do with search. One may purchase and others can occupy or possess.

137. Which of the following is not an example of evidentiary errors?

a. Harmless errors

b. Reversible errors

c. Plain errors

d. Irreversible errors

137. d. A harmless error is an error that does not affect “a substantial right of a party.” A reversible error is one that does affect a substantial right of a party. A plain error is a reversible error that is so obviously wrong that the court will reverse it even though the party harmed failed to take the steps necessary to preserve the error. An irreversible error is not defined in the law.

138. Which of the following crime team members has a clear role in solving a computer crime?

a. Manager

b. Auditor

c. Investigator

d. Security officer

138. a. A computer crime involves many individuals from different disciplines with varied experiences. The roles of each of these individuals, especially those of auditor, investigator, and security officer need to be spelled out in a detailed manner due to their overlapping duties. This is important to minimize duplication, confusion, and omission. On the other hand, the duties of the manager of the crime team are clear, that is, to conduct a thorough research, analysis, and investigation of the crime and to solve the crisis.

139. Prosecuting a computer crime is complex and demanding. Which of the following pose a major challenge to prosecutors?

a. Doing special technical preparation

b. Dealing with special evidence problems

c. Testifying about technical matters before a judge or jury

d. Dealing with electronic evidence problems

139. c. Computer crime is technical in nature and its evidence is mostly electronic and is based on “hearsay.” Trying to convey technical information to nontechnical people such as judges and juror—seven trying to convince them that a crime has actually occurred when no physical equipment has been stolen—can be a major challenge. Preparing technical evidence and collecting proper evidence (paper or electronic) are not major challenges.

140. Which of the following is not a proper criterion for measuring the effectiveness of a computer-security incident response capability?

a. Dollars saved

b. Incidents reported

c. Vulnerabilities fixed

d. Tools implemented

140. a. The payoff from a computer security incident response capability (CSIRC) cannot be quantified in terms of dollars saved and incidents handled. It may not be possible to satisfactorily quantify the benefits a CSIRC provides within its first year of operation. One of the ways in which a CSIRC can rate its success is by collecting and analyzing statistics on its activity. For example, a CSIRC could keep statistics on incidents reported, vulnerabilities reported and fixed, and tools implemented.

141. A computer-security incident-response capability structure can take different forms, depending on organization size, its diversity of technologies, and its geographic locations. Which of the following organization structures is best for reporting computer security-related problems?

a. Centralized reporting

b. Decentralized reporting

c. Distributed reporting

d. Centralized, decentralized, and distributed reporting

141. a. When determining a structure for the computer-security incident-response capability (CSIRC), we should keep in mind the objectives of centralized response and avoiding duplication of effort. For example, the help desk function can be integrated with the CSIRC. A CSIRC provides computer security efforts with the capability to respond to computer security-related incidents such as computer viruses, unauthorized user activity, and serious software vulnerabilities in an efficient and timely manner. Possible threats include loss of data confidentiality, loss of data or system integrity, or disruption or denial of system or data availability.

Centralized reporting of CSIRC is more cost-effective because duplication of effort is avoided. It is also less complicated. Being a physically separate group within the organization and functionally separate from the computer security function, end users can contact the CSIRC directly. The other three choices are incorrect because of possible duplication of efforts and difficulty in coordinating and communicating many business units.

142. A computer security incident response capability (CSIRC) needs to retain a variety of information for its own operational use and for conducting reviews of effectiveness and accountability. Which of the following logs best reflect the course of each day?

a. Contact logs

b. Activity logs

c. Incident logs

d. Audit logs

142. b. Activity logs reflect the course of each day. It is not necessary to describe each activity in detail, but it is useful to keep such a log so that the CSIRC can account for its actions. Noting all contacts, telephone conversations, and so forth ultimately saves time by enabling one to retain information that may prove useful later.

Contact logs are incorrect because they contain vendor contacts, legal and investigative contacts, and other contacts. Incident logs are incorrect because they contain information generated during the course of handling an incident, including all actions taken, all conversations, and all events. Audit logs are incorrect because they contain personal identification and activity information and transaction processing information so that actions can be traced back and forth.

143. Which of the following approaches provides an effective way of reporting computer security-related problems?

a. Help desks

b. Self-help information

c. Site security offices

d. Telephone hotline