Incident Response Management Techniques

Question 1

Splunk is a software that is used for monitoring and analyzing data. Which Splunk application is used to collect logs for analysis?
A. Splunk Enterprise
B. Splunk Receiver
C. Splunk Log Collector
D. Splunk Universal Forwarder

Answer 1

A. Splunk Enterprise
The Splunk Enterprise application serves as a log collector. The Splunk Universal Forwarder is installed on network devices and forwards logs to Splunk Enterprise.

Question 2

Which Windows Application is configured to allow forwarded log packets to be received by the Splunk Enterprise host?
A. Event viewer
B. Defender
C. Group Policy
D. Task Manager

Answer 2

B. Defender
A rule in the Windows Defender Firewall is configured to allow packets from the log forwarder to the machine hosting the Splunk Enterprise application.

Question 3

What is the purpose of using hashing algorithms when creating a forensic image of a data source?
A. Availability
B. Integrity
C. Accounting
D. Confidentiality

Answer 3

B. Integrity
Hashes are used in the forensic copying process to guarantee the integrity of the data, i.e., to ensure an exact copy is made.

Question 4

What is the purpose of making the forensic copy a read-only copy?
A. The forensic copy should not be read-only
B. Ensures the confidentiality of the data source
C. Ensures that forensic analysis cannot affect/modify the data being analyzed
D. Confirms the non-repudiation of the forensic analyst

Answer 4

C. Ensures that forensic analysis cannot affect/modify the data being analyzed
Ensuring the forensic copy is read-only ensures that the forensic analysis cannot affect/modify the data being analyzed.