Domain 7: Security Operations - Continuity of the Enterprise Flashcards

1
Q

Computer Forensics

A

Discipline of using proven methods toward collection, preservation, validation, identification, analysis, interpretation, documentaion, and presentation of digital evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who can collect evidence

A

those who are trained

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

7 Steps for Forensic Investigatin

A
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identification Step

A

Locard’s principle of Exchange: when a crime is committed an attacker leaves behind something when something is taken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Preservation Step

A

Chain of custody must be well documented

Verify integrity of all evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Collection Step

A
Minimize handling/corruption of evidence
Keep detailed logs
Ensure actions are repeatable
Follow security policy
Work fast
Start with most volatile to most persistent evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Examination Step

A

Generates Data
Look for signatures of known attacks
Review audit logs
Hidden data recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Analysis Step

A

Reviews Data
What is the root cause?
What files were altered/installed?
What communication channels were open?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Presentation and Decision

A

Present the information in a forensically sound manner, and maintain chain of custody. Court of law makes a decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Order of Volatility

A
CPU Registers
Cache
RAM 
Virtual Memory
Hard Drive
Paper Records
How well did you know this?
1
Not at all
2
3
4
5
Perfectly