3.2 Cyber Incident Response

Question 1

what is the best method to preserve evidence on a computer: bit stream backup or standard backup?

Answer 1

bit stream backup

Question 2

what is the order of volatility from most volatile to least volatile?

Answer 2

registers, cache

swap space

routing table, ARP cache, process table, kernel statistics, and memory

temporary file systems

disk

remote logging and monitoring data that is relevant to the system in question

Question 3

what are the FOUR documents/forms that should be part of forensic kit?

Answer 3

chain of custody form, incident response plan, incident form, call list/escalation list

Question 4

what is a write blocker?

Answer 4

a tool that permits read-only access to data storage devices without compromising the integrity of the data

Question 5

what is the purpose of imaging utilities included in a forensic kit?

Answer 5

to create a bit-level copy of drives

Question 6

what are the NINE components that should be included in a forensic kit?

Answer 6

1. digital forensics workstation
2. write blockers
3. cables
4. drive adaptors
5. wiped removable media
6. camera
7. crime tape
8. tamper-proof seals
9. documentation/forms

Question 7

what is the purpose of the chain of custody form?

Answer 7

it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence

Question 8

which condition must be true of the hash values of a file to prove the file is unaltered?

Answer 8

the hash values must remain the same

Question 9

what is a SCADA device?

Answer 9

a system operating with coded signals over communication channels that provides control of remote equipment

Question 10

what is the purpose of tamper-proof seals?

Answer 10

to ensure that the chain of custody is maintained

Question 11

what is the purpose of hashing utilities included in a forensic kit?

Answer 11

to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence

Question 12

what is the proper life cycle of evidence steps?

Answer 12

collection, analysis, storage, court presentation, and return to owner

Question 13

what is a digital forensics workstation?

Answer 13

a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive

Question 14

what is the purpose of an incident form?

Answer 14

it is used to describe the incident in detail

Question 15

why should the proper chain of custody be ensured?

Answer 15

so that evidence will be admissible in court

Question 16

what is the purpose of the analysis utilities included in a forensic kit?

Answer 16

to analyze the bit-level copy that is created for that purpose

Question 17

what are the three basic questions answered by the chain of custody?

Answer 17

who controlled the evidence

who secured the evidence

who obtained the evidence

Question 18

when evidence is seized, which principle should be emphasized?

Answer 18

chain of custody

Question 19

what is indicated when the hash values on a file are different?

Answer 19

the file has been altered