CITP Exam 4 Questions with Complete
Solutions17
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #1: Determine types of technology and the unique identifiers associated with a mobile
device. - ANSWERS-· IMEI - International mobile equipment ID. Perm 15-17 digit #. Is a
permanent number.
· CDMA - MEID = Mobile Equipment ID. Can lookup make/model
· SIM - Subscriber Identity Module. Authentication of device to cell network. ICCID is the serial
number for your SIM card.
· MSISDN - Mobile Directory Number AND MIN - Mobile ID Number is another name for a
phone number
· The Call Detail Records (CDR) needs to know what tower the cellphone is connected to.
Provides list of calls or other types of transmissions
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #2: Use forensic hardware and software tools to extract and analyze digital data from a
seized mobile device. - ANSWERS-· Different types of extractions include manual, logical, and
physical
o Manual: must take photographs of all screens
o Logical: usually using Cellebrite. Utilizes the built-in backup feature found in the device's
operating system (OS).
o Physical: Provides access to ALL data, basically a replica of the whole phone, usually requires
forensic software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #1: Define the uses and roles of electronic devices in criminal activity. - ANSWERS-· Three
Major Rolls
,o Computers as a target of an illegal scheme: system intrusion, hacking, DDOS attacks, or
ransomware to name a few.
o Computers used as the instrument or tool to facilitate criminal activity: ex solicitation of
minors, electronic stalking, credit card scams, tax or benefit fraud, ID theft
o Computers and other electronic devices as repositories of evidence and other information:
may contain photos, PII, or certain types of software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #2: Identify electronic devices that may be or may contain evidence. - ANSWERS-·
Permanent files as well as temporary internet files. Search terms from web browsers
· Phone SIM cards
· Removable media - optical CDs, DVDs, and Blu-Ray or external drives, flash memory cards, or
USB drives.
· Cloud computing can contain evidence and needs an additional warrant.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #3: Describe how electronic evidence may be altered or destroyed. - ANSWERS-· The "two
enemies" are physical or external damage and software or internal alteration.
· All media can be altered through brute force, extreme temps, water/ condensation, or fire.
Seize it anyway, the data may still be recoverable
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #4: Identify non-electronic items that may be important in the investigation of an electronic
crime. - ANSWERS-· Hardware: may contain DNA evidence or bodily fluids
· Printed documents or reports
· Scraps of paper with codes or passwords
· Indicators of ownership like receipts, mail, manuals
FIRST RESPONDERS TO DIGITAL EVIDENCE
, EPO #5: Identify the proper procedures in collecting, preserving, and transporting computers
and electronic items seized as evidence. - ANSWERS-· Use Faraday bags or wrap in foil if none
are available.
· Secure crime scene both physically and electronically. Sever network connectivity. Unplug
desktop.
· Conduct electronics sweep.
· Leave phone how you found it, on or off. Isolate phones in Faraday bag.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #6: Identify the proper procedures for RAM Capture and uses for recovered data. -
ANSWERS-· Random Access Memory (RAM) - is the storage area of everything the computer
processes. Capture it especially if you cannot remove the actual device or cannot get the
password.
- enables investigators and examiners to do a full memory analysis and access data
ELECTRONIC SURVEILLANCE TECHNIQUES
EPO #1: Identify the various types of Electronic Surveillance Equipment, technologies, and their
characteristics used in investigations and operations. - ANSWERS-· Audio recordings: modern
devices are small, and battery operated. May be a cellphone app, key fob, or small hidden
device.
· Tracking devices: GPS or RF tracking devices make surveillance easier, but US vs. Jones 2012
determined that a search warrant is needed.
· Video surveillance: moving or video record systems, or CCTV (fixed systems) including "traffic
camera." Some are sensor activated. Can also track using WiFi enabled systems like PSP or
smart devices.
ELECTRONIC SURVEILLANCE TECHNIQUES
EPO #2: Identify considerations for using Electronic Surveillance Equipment as well as applicable
protocols to conduct technical operations or investigations. - ANSWERS-· RF/Beacon: good for
areas with no cellular coverage. Older system.
· GPS/Cellular
Solutions17
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #1: Determine types of technology and the unique identifiers associated with a mobile
device. - ANSWERS-· IMEI - International mobile equipment ID. Perm 15-17 digit #. Is a
permanent number.
· CDMA - MEID = Mobile Equipment ID. Can lookup make/model
· SIM - Subscriber Identity Module. Authentication of device to cell network. ICCID is the serial
number for your SIM card.
· MSISDN - Mobile Directory Number AND MIN - Mobile ID Number is another name for a
phone number
· The Call Detail Records (CDR) needs to know what tower the cellphone is connected to.
Provides list of calls or other types of transmissions
INTRODUCTION TO MOBILE DEVICE INVESTIGATIONS
EPO #2: Use forensic hardware and software tools to extract and analyze digital data from a
seized mobile device. - ANSWERS-· Different types of extractions include manual, logical, and
physical
o Manual: must take photographs of all screens
o Logical: usually using Cellebrite. Utilizes the built-in backup feature found in the device's
operating system (OS).
o Physical: Provides access to ALL data, basically a replica of the whole phone, usually requires
forensic software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #1: Define the uses and roles of electronic devices in criminal activity. - ANSWERS-· Three
Major Rolls
,o Computers as a target of an illegal scheme: system intrusion, hacking, DDOS attacks, or
ransomware to name a few.
o Computers used as the instrument or tool to facilitate criminal activity: ex solicitation of
minors, electronic stalking, credit card scams, tax or benefit fraud, ID theft
o Computers and other electronic devices as repositories of evidence and other information:
may contain photos, PII, or certain types of software
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #2: Identify electronic devices that may be or may contain evidence. - ANSWERS-·
Permanent files as well as temporary internet files. Search terms from web browsers
· Phone SIM cards
· Removable media - optical CDs, DVDs, and Blu-Ray or external drives, flash memory cards, or
USB drives.
· Cloud computing can contain evidence and needs an additional warrant.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #3: Describe how electronic evidence may be altered or destroyed. - ANSWERS-· The "two
enemies" are physical or external damage and software or internal alteration.
· All media can be altered through brute force, extreme temps, water/ condensation, or fire.
Seize it anyway, the data may still be recoverable
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #4: Identify non-electronic items that may be important in the investigation of an electronic
crime. - ANSWERS-· Hardware: may contain DNA evidence or bodily fluids
· Printed documents or reports
· Scraps of paper with codes or passwords
· Indicators of ownership like receipts, mail, manuals
FIRST RESPONDERS TO DIGITAL EVIDENCE
, EPO #5: Identify the proper procedures in collecting, preserving, and transporting computers
and electronic items seized as evidence. - ANSWERS-· Use Faraday bags or wrap in foil if none
are available.
· Secure crime scene both physically and electronically. Sever network connectivity. Unplug
desktop.
· Conduct electronics sweep.
· Leave phone how you found it, on or off. Isolate phones in Faraday bag.
FIRST RESPONDERS TO DIGITAL EVIDENCE
EPO #6: Identify the proper procedures for RAM Capture and uses for recovered data. -
ANSWERS-· Random Access Memory (RAM) - is the storage area of everything the computer
processes. Capture it especially if you cannot remove the actual device or cannot get the
password.
- enables investigators and examiners to do a full memory analysis and access data
ELECTRONIC SURVEILLANCE TECHNIQUES
EPO #1: Identify the various types of Electronic Surveillance Equipment, technologies, and their
characteristics used in investigations and operations. - ANSWERS-· Audio recordings: modern
devices are small, and battery operated. May be a cellphone app, key fob, or small hidden
device.
· Tracking devices: GPS or RF tracking devices make surveillance easier, but US vs. Jones 2012
determined that a search warrant is needed.
· Video surveillance: moving or video record systems, or CCTV (fixed systems) including "traffic
camera." Some are sensor activated. Can also track using WiFi enabled systems like PSP or
smart devices.
ELECTRONIC SURVEILLANCE TECHNIQUES
EPO #2: Identify considerations for using Electronic Surveillance Equipment as well as applicable
protocols to conduct technical operations or investigations. - ANSWERS-· RF/Beacon: good for
areas with no cellular coverage. Older system.
· GPS/Cellular
