CCSP Domain 5: Forensics Flashcards

1
Q

What is the most common means of capturing disk images from virtual machines in IaaS environments?

A

use of the provider’s snapshot tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What step typically comes after forensic artifacts are identified?

A

preservation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Organization wants to preserve forensics artifacts from a running instance in their cloud environment. What two key steps should they take to ensure they can perform forensic analysis?

A
  1. create a snapshot of the running instance
  2. make bit-for-bit copies of any mounted volumes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What should he do to validate forensic data after capturing disk snapshots for the VM’s OS and data disks from an Azure-hosted VM?

A

compare hashes of the VM’s OS and data disks and the snapshots of each

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Organization wants to conduct a forensic analysis of potentially malicious traffic in a SaaS environment. What tools should they use to conduct this analysis?

A

analyzing network traffic in a SaaS environment is typically not possible for customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What technique is used to reduce the possibility that captured data is not affected while the copies are being made?

A

forensic imaging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Does forensic investigation require the participation of the cloud provider?

A

in many cases yes; customer is not able to (legally, technically or both) to capture the necessary material in a manner or with the detail required for the satisaction of a court

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does chain of custody provide?

A

nonrepudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What needs to be assured with the cloud provider in terms of chain of custody?

A

that their chain of custody process aligns with our own

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is recommended to do when a forensic analysis is required?

A

obtain services of fornesic professionals certified and licensed to perform forensic activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which ISO standards are an excellent guide for collecting, preserving and analyzing forensic data?

A

ISO 27037 and ISO 27042

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What process does Digital Forensics outline?

A

process of collecting evidence in a manner that it may be used in court with reliability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which organizations provide guidance on best practices for collecting digital evidence and conducting forensic investigations in the cloud?

A

ISO/IEC and CSA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the “Cloud Computing Forensic Science Challenges” standard?

A

NIST NISTIR 8006

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does NISTIR from NIST NISTIR 8006 stand for?

A

NIST Interagency or Internal Reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does NIST NISTIR 8006 address?

A

common issues and solutions needed to address DFIR (Digital Forensics and Incident Response) in cloud environments

16
Q

When would you use NIST NISTIR 8006?

A

when responding to incidents that have occurred in a cloud-computing ecosystem; it aggregates, categorizes and discusses the forensic challenges faced by experts

17
Q

What does CSA Security Guidance offer?

A

guidance on legal concerns related to security, privacy and contractual obligations

18
Q

What does ISO/IEC 27050 offer?

A

framework, governance and best practices for forensics, eDiscovery, and evidence management

19
Q

ISO/IEC 27037:2012 offeres guidance for what?

A

collecting, identifying and preserving electronic evidence

20
Q

ISO/IEC 27041:2015 offeres guidance for what?

A

incident investigation

21
Q

ISO/IEC 27042:2015 offeres guidance for what?

A

evidence analysis

22
Q

ISO/IEC 27043:2015 offeres guidance for what?

A

incident investigation principles and processes