🧠 KEY CONCEPTS
This is the term for information stored electronically that can be used in court.
What is digital evidence?
This type of malicious software records every key a user types, including passwords.
What is a keylogger?
This is the Costa Rican investigative police agency that receives forensic reports as evidence.
What is the OIJ (Organismo de Investigación Judicial)?
This Hojancha cooperative reported unauthorized access to its administrative server on March 14, 2026.
What is Coopeguanacaste R.L.?
This grammar structure uses 'not supposed to' — as in: 'You _______ connect personal USB drives without permission.'
What is 'are not supposed to'?
This type of malware encrypts a victim's files and demands payment to restore access.
What is ransomware?
These are the three infection methods found at the CTP Hojancha computer lab incident.
What are outdated software vulnerabilities, malicious shared files, and personal USB devices?
According to forensic reporting rules, if it is not in your report, you cannot do this in court.
What is testify about it?
This is what the CTP Hojancha IT coordinator told students about connecting personal USB devices to school computers.
What is that they are NOT SUPPOSED TO connect personal USB devices without permission?
This discourse marker introduces a contrast, as in: '_______ the attacker deleted logs, investigators recovered evidence from volatile memory.'
What is 'Whereas'?
This documented record tracks evidence from collection to court presentation.
What is a chain of custody?
This method hides an attacker's identity by routing traffic through a false server.
What is a malicious proxy server?
This is why forensic investigators kept the computers ON at the ICE Liberia office.
What is to preserve volatile memory?
This national telecommunications institution's Liberia office was the scene of the first forensic case in the listening test.
What is ICE (Instituto Costarricense de Electricidad)?
This past tense passive structure describes something that happened before another past event, as in: 'The files _______ stolen before the alarm triggered.'
What is 'had already been stolen' (past perfect passive)?
This is temporary data stored in RAM that is lost the moment a computer is turned off.
What is volatile memory?
This social engineering attack tricks employees into clicking malicious links via email.
What is phishing?
Write-protected drives are used during forensic investigations to prevent this.
What is changes to the evidence (alteration)?
In the Nicoya ICE breach, this is how many customer accounts were compromised by the attacker.
What is more than 400 customer accounts?
This discourse marker means 'despite that' — used to show that a conclusion holds even when there is a difficulty, as in: '_______, a complete report must be submitted.'
What is 'Nevertheless'?
This is the term for information about data — for example, when and where a photo was taken.
What is metadata?
In the ICE Nicoya breach, this tool collected usernames and passwords for 11 days undetected.
What is a keylogger?
This is the main challenge the forensic expert described at the ICE Liberia office — not identifying the attacker.
What is building a legal case with well-documented evidence that holds up in court?
This Costa Rican regulatory agency for cybersecurity and telecommunications is mentioned as having a role in digital forensics investigations.
What is SUTEL?
In a forensic expert report, this rule means you must explain the basis and reasoning behind your analysis, not just state the result.
What is 'Your report needs to detail the basis for your conclusions'?