5.5 Summarize basic concepts of forensics. Flashcards

1
Q

What is the order of volatility?

A
  1. CPU Cache
  2. ARP/Routing Tables
  3. RAM
  4. SWAP/Temp files
  5. Hard Drive 6. Archival Media (CD/DVD/Print outs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Chain of Custody

A

A document that indicates various details about evidence across its lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Legal Hold

A

A notice to a data custodian that specific data or information must be preserved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Acquisition

A

The process and procedures by which data relevant to a criminal action is discovered and collected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Capture System Image

A
  • Taking a snapshot of the current state of the computer that contains all current settings and data
  • Must take the order volatility in to account
  • Use a write blocker to prevent changing evidence
  • Take hashes before and after making a bit-for-bit copy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Network Traffic And Logs

A

Sources of evidence can include network traffic and network device logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Capture Video

A

Collect and video from surveillance cameras.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Record Time Offset

A

Ensuring that you take note of the time difference between the device clock and the standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Take Hashes

A

Take hashes before collecting any digital evidence.

Take hashes after coping any digital evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Screenshots

A

Take photographs of screens rather that trusting the native software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Witness Interviews

A

Its important to interview all those with knowledge of what occurred
This allows you to build a chronological order of events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
An organization has been sent a lawyer’s letter demanding that they retain specific records, logs, and other files pertaining to suspected illegal activity. What has jus been done?
A. Financial Audit
B. Forensics
C. Big Data request
D. Legal Hold
A

D. Legal Hold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
In the initial stages of an investigation, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO).
A. Take hashes
B. Begin the chain of custody paperwork
C. Take screen shots
D. Capture the system image
E. Decompile suspicious files
A

A. Take hashes

D. Capture the system image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Evidence is inadmissible in court if which of the following is violated or mismanaged?
A. Chain of custody
B. Service-level agreement
C. Privacy policy
D. Change management
A

A. Chain of custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly