Part 1
1. What are the three data acquisition methods & when should each one be used?
2. Explain how the investigator's target drive can be smaller than the suspect's drive in a disk-to-image copy.
3. Why are hash algorithms used when image files are created?
4. Differentiate between absolute and relative sectors.
5. What are some typical drawbacks to Windows data acquisition tools?
6. What is RAID? What challenges do RAID systems present to computer forensic investigators?
7. What is the difference between a Static Acquisition and a Live Acquisition?
8. What drawbacks can be encountered when performing a Remote Acquisition?
Part 2
1. Discuss different activities investigators perform with digital evidence?
2. Even though digital evidence is considered to be physical, it differs from other types of physical evidence. What are these differences and what issues do they create for analysts?
3. What are FOIA laws and why do they exist?
4. What are Corporate Policy Statements and Warning Banners? How do they impact an employer's rights related to corporate computer investigations?
5. Explain how a corporate employee could jeopardize the suspect's Fourth Amendment protection by gathering evidence in a private sector investigation?
6. What is probable cause and what criteria must be met to establish probable cause?
7. What is the plain view doctrine and how does it apply to the search and seizure of digital evidence?
8. Why is seizing a computer (and analyzing it in a computer forensics lab) preferred over analysis at the crime scene. What conditions might prevent an investigator from seizing a computer?
9. What is a technical advisor and what roles do they play at an incident or crime scene?
10. What various media exist for storing digital evidence? What are the pros and cons of each?
11. What steps are outlined in the text for processing & handling digital evidence?