Chapter 25 — Exercises

Work these without looking back at the chapter first; then check yourself. Items marked † have full worked solutions in the answers appendix. There are no answers in this file. The mix is deliberate: recall, applied reasoning, evidence interpretation, "spot the overstatement," ethics, and a cold-case extension.

A. Recall and definitions

1. Define digital forensics in one sentence, and name the five activities (from identification through interpretation) it covers.

2. Define digital evidence, and give two examples of digital evidence that a user never deliberately creates (i.e., generated automatically).

3. † Explain the paradox at the heart of the chapter: in what sense is digital evidence both unusually durable (hard to fully erase) and unusually fragile (easy to alter)? Resolve the apparent contradiction.

4. What is forensic imaging, and how does a forensic image differ from an ordinary "copy" of the files on a device?

5. † Define hash value and state the three properties of a cryptographic hash function that make it forensically useful.

6. What is a write blocker, and what specific contamination does it prevent during acquisition?

7. Define metadata and give three distinct kinds a single smartphone photograph can carry.

8. Define file carving, and explain how it can recover a file when the filesystem no longer records that the file ever existed.

9. Define cell-site/location data in the chapter's exact, careful terms. Which two words in your definition are the ones most often dropped in courtroom overstatement?

10. Distinguish a logical extraction from a physical / full-filesystem extraction of a phone, and state which one can recover deleted data.

B. Applied reasoning

11. † An examiner connects a suspect's hard drive to a workstation without a write blocker, "just to take a quick look." Describe two specific ways the evidence may have been altered before anyone examined a file, and explain why this damages the case even if the examiner found nothing incriminating.

12. A drive is imaged. The acquisition hash of the original and the hash of the image are identical. Eight months later the image is re-hashed and the value still matches. State precisely what this does prove and two distinct things it does not prove.

13. Explain, using the "table of contents vs. the pages" analogy, why "delete" rarely means the data is gone — and name the one common event that genuinely destroys the data.

14. † A solid-state drive (the storage in modern phones) behaves differently from an old spinning hard disk when it comes to deleted-data recovery. Name the background process responsible and explain why it can put deleted data beyond recovery faster than older drives did.

15. A carved JPEG is recovered from unallocated space. It is a clear, intact image showing a relevant location. List three pieces of context this carved file most likely lacks, and explain why each is missing.

16. A suspect says a document was written "months ago." The file's own creation timestamp says yesterday. Before concluding the suspect lied, name two innocent technical explanations a careful examiner must rule out first.

17. † Explain why a phone's GPS-derived location log ("places you've been," accurate to meters) and its cell-site records (a coverage area, possibly miles across) are fundamentally different kinds of evidence — and why conflating them is the single most consequential error in this chapter.

18. An investigator wants to know not just where a phone was but whether its owner was physically active at a given time. Name two kinds of sensor/health data a modern phone may hold that bear on this, and state the limit that applies to all of them.

C. Evidence interpretation

19. Re-read Figure 25.1 ("Two hashes, one verdict"). The three hash values are identical. Write the single sentence an examiner can honestly say to a jury about what this establishes — and the single sentence that would overstate it by confusing integrity with truth.

20. † Re-read Figure 25.2 ("What a cell sector really covers"). The record shows the phone used this tower's sector at 11:14 p.m. Both the cabin and a suspect's home (two miles away) sit inside the wedge. State (a) what the record establishes at honest strength, (b) the honest verb, and (c) why a prosecutor's map that drops a single dot on the cabin is misleading.

21. An EXIF GPS coordinate on a phone's photo places the phone at the cabin at 11:40 p.m. Write the honest inference about the suspect, and name the additional evidence that would be required to connect the device's location to the person.

22. A mobile-extraction tool's report lists a deleted text with a precise timestamp. Why should the examiner verify this finding by hand before relying on it in testimony, and what feature of the tool makes independent verification necessary?

D. Spot the overstatement / junk-science alert

23. † A detective testifies: "The cell records prove the defendant's phone was at the cabin at the time of the fire." Identify two distinct overstatements packed into that sentence, and rewrite it at honest strength.

24. An expert draws a tidy circle around a cell tower on a map and tells the jury the phone was "within this circle." Using §25.5, explain why even the circle can mislead, given how a phone actually selects a tower.

25. A forensic report concludes that because no incriminating messages were recovered from a phone, "the defendant sent no such messages." Explain why this inference is unsound, referencing both deletion/overwriting and the limits of recovery.

26. A prosecutor says, "The hash matches, so this evidence is verified — the jury can rely on every file as authentic." Name the specific conflation in this sentence (using the three-question distinction from §25.2) and state what the hash actually verifies.

27. A television scene shows an analyst typing for nine seconds and producing a suspect's exact GPS track from a single cell-tower "ping." Using §25.5 and §1.2 (the CSI effect), name two ways this is backward from how the method actually works.

E. Ethics and reasoning

28. † An examiner is told by investigators, before beginning, "We're sure he deleted texts about the insurance — find them." Using the Cognitive-Bias Watch in §25.3 (and previewing Chapter 31), explain the bias risk and describe a safeguard. Is a finding produced blind to that expectation worth more than one produced knowing it — even if they agree?

29. A warrant authorizes searching a phone for evidence of insurance fraud. During the search the examiner notices unrelated material suggesting a different offense. Using §25.6, explain the scope problem and why proceeding to mine the phone for the unrelated matter could jeopardize the case.

30. A lawfully seized phone is encrypted and cannot be opened even with a valid warrant. A junior investigator argues, "A warrant means we're entitled to the data, so there must be a way in." Explain the distinction between legal permission and technical capability, and why "we can always get into the phone" is false (§25.6).

31. Commercial extraction tools can sometimes bypass a phone's lock and recover data no manual method could — but their methods are trade secrets. Argue both sides: why this capability is valuable to investigators, and why the black-box nature is a genuine problem for the defense and for validity (tie to Chapter 4, §4.4, and Chapter 6).

32. A volume of one million files is recovered from a device. The examiner finds a handful that, read uncharitably, support the investigators' theory. Explain why "I found supporting files" is weak corroboration here, and what discipline §25.3 demands instead.

F. Synthesis and validity spectrum

33. † Place these four on the NAS 2009 / PCAST 2016 validity spectrum (strong → weak/overstated), justifying each: cryptographic hashing for data integrity (§25.2); a phone's GPS-derived location log (§25.4); historical cell-site pinpointing to a specific spot (§25.5); and bite-mark comparison (Chapter 16, previewed). Explain why two of these are "digital" yet sit at opposite ends.

34. Explain how this chapter advances at least two of the book's four themes (exclusion over proof; the validity spectrum; cognitive bias; the CSI effect cutting both ways). Name which themes and how.

35. The chapter insists on three separate distinctions — integrity vs. truth, device vs. person, area vs. point. For each, give one sentence of digital evidence that is sound on the left side of the distinction but becomes an overstatement if pushed to the right.

G. Cold-case extension

36. † Cold Case. Using only what the chapter's digital findings establish, write the two entries you would add to the Mill Creek evidence log (Appendix I): one for Keller's recovered deleted messages and one for the cell-site finding. For each, state (a) the defensible inference at its true strength, (b) the honest verb, (c) at least two things it does not establish, and (d) why you do not write "Keller was at the cabin."

37. Cold Case extension. The Case File says "Keller's alibi breaks," not "Keller did it." Explain, in your own words, why those are different sentences — and identify which later chapter (by number) is the only place the whole file is finally weighed.

38. Cold Case, integrative. The cell-site data places Keller's phone, not provably the man, in the area. List two other evidence types already in the file (from earlier chapters) that, combined with the cell-site finding, begin to connect the person Keller to the cabin — and state plainly why the cell-site data alone cannot make that leap.

39. Cold Case, honest limits. Suppose the defense argues the cell-site evidence is "worthless because it can't pinpoint the cabin." Write the response an honest examiner would give — one that concedes what must be conceded (no pinpoint) while explaining what the data still legitimately does to Keller's alibi.

H. Short writing

40. † In 150–200 words, explain to a juror why hashing lets a digital examiner make a claim close to certainty ("this data is unaltered") while cell-site evidence cannot support the certainty juries are tempted to give it — and why both honesty points belong to the same discipline.