Incident Response and Computer Forensics Flashcards
What must be determined by the first responder to an incident?
The severity of the event
Which other personnel must be called in
The dollar amount associated with the incident
The severity of the event
A quick assessment of the situation severity by the first responder will determine who needs to be called or what should be done next, based on the incident response policy
After seizing computer equipment alleged to have been involved in a crime, it is placed in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?
Order of volatility
Damage control
Chain of custody
Chain of custody
Chain of custody has been violated. Chain of custody involves documenting evidence being collected thoroughly and legally while ensuring that the evidence cannot be tampered with. If the chain of custody has not been maintained because the equipment was unattended, it could result in evidence being deemed inadmissible by a court of law
A warrant has been issued to investigate a server believed to be used by organized crime to swap credit card information. Following the order of volatility, which data should you collect first?
Electronic memory (RAM)
Hard disk
USB flash drive
Electronic memory (RAM)
The order of volatility determines which data is most at risk of loss. Electronic memory (RAM) data is lost when a device is powered off, as are the contents of the CPU cache; therefore, data must be properly collected before the other listed items
While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult?
The contents of your inbox
The mail server log
The mail server documentation
The mail server log
The mail server log will reveal SMTP activity such as excessive outbound SMTP traffic. Real-time active monitoring of logs and long-term trend analysis can alert administrators immediately; this is the function of a security sensor such as an intrusion detection system (IDS), which can forward security alerts to a centralized security information and event management (SIEM) dashboard. SIEM dashboards can be secured so that sensitive alerts are available only to the appropriate security personnel. Documentation from previous similar incidents contains lessons learned that can aid in quick remediation
You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize that a break-in has occurred and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?
Clean up the server room.
Sketch a picture of the area that was illegally entered on a notepad.
Alert officials that the surveillance video is on the premises.
Alert officials that the surveillance video is on the premises.
Video surveillance provides important evidence that could be used to solve this crime. For the organization, analyzing data retention policies for backups should be consulted to determine which data was compromised
Which of the following best visually illustrates the state of a running computer at the time it was seized by law enforcement?
Digital photograph of the motherboard
Digital photograph of the screen
Visio network diagram
Digital photograph of the screen
A digital photograph of a screen can prove relevant to the particular crime because it may reveal what was happening on the system at the time it was seized
Choose the correct order of volatility when collecting digital evidence:
Swap file, RAM, DVD-R, hard disk
RAM, DVD-R, swap file, hard disk
RAM, swap file, hard disk, DVD-R
RAM, swap file, hard disk, DVD-R
Digital forensic evidence must first be collected from the most fragile (power-dependent) locations such as RAM and the swap file. Swap files contain data from physical RAM that were paged to disk to make room for something else in physical RAM. Hard disks are the next most vulnerable, because hard disk data can simply be deleted and the disk can be filled with useless data to make data recovery difficult. A DVD-R is less susceptible to data loss than hard disks since it is read-only
What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?
Write a Visual Basic script that deletes files older than 30 days.
Delete files thought to be operating system files.
Ensure that the original disk is pristine and use a hash table on a copy of the files.
Ensure that the original disk is pristine and use a hash table on a copy of the files.
A hash table calculates file hashes for each file. Known standard operating system file hashes can be compared to your file hashes to quickly exclude known authentic operating system files that have not been modified
A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what?
Defendant
Auditor
Forensic expert witness
Forensic expert witness
A forensic expert witness has specialized knowledge and experience in a field beyond that of the average person, and thus her testimony is deemed authentic
Which of the following best describes chain of custody?
Delegating evidence collection to your superior
Preserving, protecting, and documenting evidence
Capturing a system image to another disk
Preserving, protecting, and documenting evidence
Preserving, protecting, and documenting evidence is referred to as chain of custody. The legally required implementation of evidence preservation is referred to as “legal hold.”
While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which of the following should you consider? (Choose two.)
Was the message encrypted?
Was the message digitally signed?
Are user public keys properly protected?
Are user private keys properly protected?
Was the message digitally signed?
Are user private keys properly protected?
Digitally signing an e-mail message requires a user’s unique private key to which only he has access, which means he had to have sent the message and cannot dispute this fact (nonrepudiation). One factor used to arrive at this conclusion is how well protected user private keys are. If user private keys are simply stored on a hard disk without a password, anybody could have digitally signed the message, in which case user interviews and video surveillance may be used to place a user at a device where he may have access to a private key
What type of evidence would be the most difficult for a perpetrator to forge?
IP address
MAC address
Cell phone SIM card
Cell phone SIM card
Cell phone subscriber identification module (SIM) cards contain unique data such as a serial number, the user’s contacts, text messages, and other relevant mobile subscriber data. This is used in Global System for Mobility (GSM) communication mobile devices and enables the user to use any GSM mobile device as long as a SIM card is inserted
What is the purpose of disk forensic software? (Choose two.)
Using file encryption to ensure copied data mirrors original data
Using file hashes to ensure copied data mirrors original data
Protecting data on the original disks
Creating file hashes on the original disks
Using file hashes to ensure copied data mirrors original data
Protecting data on the original disks
A generated file hash, also called a checksum, is unique to the file on which it was based. Any change to the file invalidates the file hash. This is a method to digitally ensure that the correct version of a file is being analyzed and is part of document provenance, which strives to verify data origin and how it was processed and stored. Data on a seized hard disk must remain intact. Forensic disk software runs on a separate device or boots using its own operating system and uses bitstream copying to copy entire hard disk contents. File hashes should never be generated on the source hard disk; it is imperative that it remain undisturbed
CDMA mobile devices do not use SIM cards.
GSM mobile devices do not use SIM cards.
GSM mobile devices use SIM cards.
GSM mobile devices do not use SIM cards.
Global System for Mobile (GSM) communication devices use SIM cards. This means you could purchase a new GSM mobile device and simply insert your SIM card without having to contact your mobile wireless service provider
You must analyze data on a digital camera’s internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure that you do not modify data on the camera?
Ensure that the camera is turned off.
Flag all files on the camera as read-only.
Use a USB write-blocking device.
Use a USB write-blocking device.
USB write-blocking devices ensure that data can travel in only one direction when collecting digital evidence from storage media, such as a digital camera’s internal memory. If this tool is used, this fact must be documented to adhere to chain-of-custody procedures
