Domain 7: Security Operations - Continuity of the Enterprise

Question 1

Computer Forensics

Answer 1

Discipline of using proven methods toward collection, preservation, validation, identification, analysis, interpretation, documentaion, and presentation of digital evidence

Question 2

Who can collect evidence

Answer 2

those who are trained

Question 3

7 Steps for Forensic Investigatin

Answer 3

Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision

Question 4

Identification Step

Answer 4

Locard’s principle of Exchange: when a crime is committed an attacker leaves behind something when something is taken.

Question 5

Preservation Step

Answer 5

Chain of custody must be well documented

Verify integrity of all evidence

Question 6

Collection Step

Answer 6

Minimize handling/corruption of evidence
Keep detailed logs
Ensure actions are repeatable
Follow security policy
Work fast
Start with most volatile to most persistent evidence

Question 7

Examination Step

Answer 7

Generates Data
Look for signatures of known attacks
Review audit logs
Hidden data recovery

Question 8

Analysis Step

Answer 8

Reviews Data
What is the root cause?
What files were altered/installed?
What communication channels were open?

Question 9

Presentation and Decision

Answer 9

Present the information in a forensically sound manner, and maintain chain of custody. Court of law makes a decision

Question 10

Order of Volatility

Answer 10

CPU Registers
Cache
RAM 
Virtual Memory
Hard Drive
Paper Records