Introduction to Computer Forensics and Incident Response

Question 1

What must be determined by the first responder to an incident?

The severity of the event

Which other personnel must be called in

The dollar amount associated with the incident

Answer 1

The severity of the event

A quick assessment of the situation severity by the first responder will determine who needs to be called or what should be done next, based on the incident response policy

Question 2

After seizing computer equipment alleged to have been involved in a crime, it is placed in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?

Order of volatility

Damage control

Chain of custody

Answer 2

Chain of custody

Chain of custody has been violated. Chain of custody involves documenting evidence being collected thoroughly and legally while ensuring that the evidence cannot be tampered with

Question 3

A warrant has been issued to investigate a server believed to be used by organized crime to swap credit card information. Following the order of volatility, which data should you collect first?

Electronic memory (RAM)

Hard disk

USB flash drive

Answer 3

Electronic memory (RAM)

The order of volatility determines which data is most at risk of loss. Electronic memory (RAM) data is lost when a device is powered off; therefore, it must be properly collected first

Question 4

A server configured with a RAID 5 array must be properly imaged to preserve the original state of the data. You decide against imaging each physical hard disk in the array. Which two tasks must you perform? (Choose two.)

Change the server CMOS boot order.

Image the array as a single logical disk.

Ensure that your imaging solution supports RAID.

Update the firmware for the RAID controller.

Answer 4

Image the array as a single logical disk.

Ensure that your imaging solution supports RAID.

You should ensure that your forensic imaging tool supports the RAID controller on the system you must image, and then you should image the disks as a single logical disk

Question 5

While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult?

The contents of your inbox

The mail server log

The mail server documentation

Answer 5

The mail server log

The mail server log will reveal SMTP activity such as excessive outbound SMTP traffic. Real-time active monitoring of logs can alert administrators immediately, as is the function of an intrusion detection system (IDS). Documentation from previous similar incidents contains lessons learned that can aid in quick remediation

Question 6

You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize there has been a break-in and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?

Clean up the server room.

Sketch a picture of the broken-into premises on a notepad.

Alert officials that the premise has surveillance video.

Answer 6

Alert officials that the premise has surveillance video.

Video surveillance provides important evidence that could be used to solve this crime

Question 7

Which of the following best visually illustrates the state of a computer at the time it was seized by law enforcement?

Digital photograph of the motherboard

Screenshot

Visio network diagram

Answer 7

Screenshot

A screenshot can be acquired in many ways and can prove relevant to the particular crime because it may reveal what was happening on the system at the time

Question 8

Choose the correct order of volatility when collecting digital evidence:

Hard disk, DVD-R, RAM, swap file

RAM, DVD-R, swap file, hard disk

RAM, swap file, hard disk, DVD-R

Answer 8

RAM, swap file, hard disk, DVD-R

Digital forensic evidence must first be collected from the most fragile (power-dependent) locations such as RAM and the swap file. Swap files contain data from physical RAM that were paged to disk to make room for something else in physical RAM. Hard disks are the next most vulnerable because hard disk data can simply be deleted and the hard disk can be filled with useless data to make data recovery difficult. A DVD-R is less susceptible to data loss than hard disks since it is read-only

Question 9

What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?

Write a Visual Basic script.

Delete files thought to be operating system files.

Ensure that the original disk is pristine and use a hash table on a copy of the files.

Answer 9

Ensure that the original disk is pristine and use a hash table on a copy of the files.

A hash table calculates file hashes for each file. Known standard operating system file hashes can be compared to your file hashes to quickly exclude known authentic files that have not been modified

Question 10

A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what?

Plaintiff

Defendant

Forensic expert witness

Answer 10

Forensic expert witness

A forensic expert witness has specialized knowledge and experience in a field beyond that of the average person, and thus her testimony is deemed authentic

Question 11

Which of the following best describes chain of custody?

Delegating evidence collection to your superior

Preserving, protecting, and documenting evidence

Capturing a system image to another disk

Answer 11

Preserving, protecting, and documenting evidence

Preserving, protecting, and documenting evidence is referred to as chain of custody. The legally required implementation of evidence preservation is referred to as “legal hold”

Question 12

While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which items should you consider? (Choose two.)

Was the message encrypted?

Was the message digitally signed?

Are user public keys properly protected?

Are user private keys properly protected?

Answer 12

Was the message digitally signed?

Are user private keys properly protected?

Digitally signing an e-mail message requires a user’s unique private key to which only he has access, which means he had to have sent the message. One factor used to arrive at this conclusion is how well protected user private keys are. If user private keys are simply stored on a hard disk without a password, anybody could have digitally signed the message

Question 13

What type of evidence would be the most difficult for a perpetrator to forge?

IP address

Cell phone SIM card

Documents on a USB flash drive

Answer 13

Cell phone SIM card

Cell phone subscriber identification module (SIM) cards contain unique data such as a serial number, the user’s contacts, text messages, and other relevant mobile subscriber data. This is used in Global System for Mobility (GSM) communication mobile devices and enables the user to use any GSM mobile device as long as a SIM card is inserted

Question 14

What is the purpose of disk forensic software? (Choose two.)

Using file encryption to ensure copied data mirrors original data

Using file hashes to ensure copied data mirrors original data

Protecting data on the original disks

Creating file hashes on the original disks

Answer 14

Using file hashes to ensure copied data mirrors original data

Protecting data on the original disks

A generated file hash is unique to the file on which it was based. Any change to the file invalidates the file hash. This is a method to digitally ensure that the correct version of a file is being analyzed. Data on a seized hard disk must remain intact. Forensic disk software runs on a separate device or boots using its own operating system and uses bitstream copying to copy entire hard disk contents. File hashes should never be generated on the source hard disk; it is imperative that it remain undisturbed

Question 15

You are preparing to gather evidence from a cell phone. Which of the following is false?

CDMA mobile devices do not use SIM cards.

GSM mobile devices do not use SIM cards.

GSM mobile devices use SIM cards.

Answer 15

GSM mobile devices do not use SIM cards.

Global System for Mobile (GSM) communication devices use subscriber identity module (SIM) cards. This means you could purchase a new GSM mobile device and simply insert your SIM card without having to contact your mobile wireless service provider

Question 16

You must analyze data on a digital camera’s internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure you do not modify data on the camera?

Ensure the camera is turned off.

Flag all files on the camera as read-only.

Use a USB write-blocking device.

Answer 16

Use a USB write-blocking device.

USB write-blocking devices ensure that data can travel in only one direction when collecting digital evidence from storage media, such as a digital camera’s internal memory. The fact that this tool was used must be documented to adhere to chain-of-custody procedures

Question 17

What can be used to ensure that seized mobile wireless devices do not communicate with other devices?

SIM card

Faraday bag

Antistatic bag

Answer 17

Faraday bag

A Faraday bag is a mobile device shield that prevents wireless signals to or from the mobile device. This must be used immediately upon seizure of a wireless mobile device to ensure that data stored on it is not modified through wireless remote communications

Question 18

Robin works as a network technician at a stock brokerage firm. To test network forensic capturing software, she plugs her laptop into an Ethernet switch and begins capturing network traffic. During later analysis, she notices some broadcast and multicast packets as well as her own computer’s network traffic. Why was she unable to capture all network traffic on the switch?

She must disable promiscuous mode on her NIC.

Each switch port is an isolated collision domain.

Each switch port is an isolated broadcast domain.

Answer 18

Each switch port is an isolated collision domain.

Ethernet switches isolate each port into its own collision domain. When capturing network traffic, this means you will not see traffic to or from other computers plugged into other switch ports, other than broadcast and multicast packets. Some switches allow you to copy all switch traffic to a monitoring port, but the scenario did not mention this

Question 19

A network intrusion detection device captures network traffic during the commission of a crime on a network. You notice NTP and TCP packets from all network hosts in the capture. You must find a way to correlate captured packets to a date and time to ensure the packet captures will be considered admissible as evidence. What should you do? (Choose two.)

Nothing. NTP keeps time in sync on a network.

Nothing. Packet captures are time stamped.

Without digital signatures, date and time cannot be authenticated.

Without encryption, date and time cannot be authenticated.

Answer 19

Nothing. NTP keeps time in sync on a network.

Nothing. Packet captures are time stamped.

Network Time Protocol (NTP) keeps computers synchronized to a reliable time source. Captured network traffic is time stamped and includes offset time stamps from when the capture was started

Question 20

You arrive at a scene where a computer must be seized as evidence. The computer is powered off and has an external USB hard drive plugged in. What should you do?

Turn on the computer.

Unplug the external USB hard drive.

Thoroughly document the state of the equipment.

Answer 20

Thoroughly document the state of the equipment.

Thoroughly documenting the state of seized equipment is critical to adhere to chain-of-custody procedures. Failure to do so will render collected evidence inadmissible

Question 21

You are asked to examine a hard disk for fragments of instant messaging conversations as well as deleted files. How should you do this?

Use bitstream copying tools.

Log in to the computer and copy the original hard drive contents to an external USB hard drive.

View log files.

Answer 21

Use bitstream copying tools.

Bitstream forensic copying tools copy hard disk data at the bit level, not at the file level. When a file is deleted, it may disappear from the file system, but the file data in its entirety is intact on the hard disk until the hard disk is filled with new data. Deleted files are not copied with file-level copying, but they are with bitstream copying

Question 22

Which type of file is most likely to contain incriminating data?

Password-protected Microsoft Word file

Encrypted Microsoft Word file

Digitally signed Microsoft Word file

Answer 22

Encrypted Microsoft Word file

The existence of encrypted files implies somebody sought to protect confidential or incriminating data (bad guys always try to cover their tracks). The required key (file, passphrase, or physical device) must be used to decrypt the data

Question 23

How can a forensic analyst benefit from analyzing metadata? (Choose three.)

JPEG metadata can reveal specific camera settings.

Microsoft Word metadata can reveal the author name.

Microsoft Excel metadata can reveal your MAC address.

PDF metadata can reveal the registered company name.

Answer 23

JPEG metadata can reveal specific camera settings.

Microsoft Word metadata can reveal the author name.

PDF metadata can reveal the registered company name.

Metadata is information that describes data. For example, a JPEG picture taken with a digital camera could contain hidden data including camera settings, date and time, and so on. Microsoft Word and Portable Document Format (PDF) documents contain metadata such as the document author name, registered company name, and so on

Question 24

Which of the following rules must be followed when performing forensic analysis? (Choose two.)

Work only with the original authentic data.

Work only with a copy of data.

Seek legal permission to conduct an analysis.

Seek your manager’s permission to conduct an analysis.

Answer 24

Work only with a copy of data.

Seek legal permission to conduct an analysis.

You must obtain proper legal permission to seize and analyze data. Perform analysis on a forensic copy of data; never work on the original data because this will render evidence inadmissible

Question 25

The IT director is creating the following year’s budget. You are asked to submit forensic dollar figures for your cyber-incident response team. Which one item should you not submit?

Travel expenses

Training expenses

ALE amounts

Answer 25

ALE amounts

Annual loss expectancy (ALE) is used to calculate the probability of asset failure over a year. It is used when performing a risk assessment

Question 26

Users report at 9:30 a.m. severely degraded network performance since the workday began at 8 a.m. After network analysis and a quick discussion with your IT security team, you conclude a worm virus has infected your network. What should you do to control the damage? (Choose two.)

Determine the severity of the security breach.

Unplug SAN devices.

Shut down all servers.

Shut down Ethernet switches.

Answer 26

Determine the severity of the security breach.

Shut down Ethernet switches.

Once the severity of the issue has been determined, the quickest way to control the spread of a worm virus is to eliminate network connectivity

Question 27

A suspect deletes incriminating files and empties the Windows recycle bin. Which of the following statements are true regarding the deletion? (Choose two.)

The files cannot be recovered.

The files can be recovered.

Deleted files contain all of their original data until the hard disk is filled with other data.

Deleted files contain all of their original data until the hard disk is defragmented.

Answer 27

The files can be recovered.

Deleted files contain all of their original data until the hard disk is filled with other data.

Emptying the Windows recycle bin makes deleted files inaccessible to Windows users; however, the entire file contents are still on the disk until the disk is filled with other data. A third-party tool must be used to recover the deleted items in this case

Question 28

The local police suspect a woman is using her computer to commit online fraud, but she encrypts her hard disk with a strong passphrase. Law enforcement would like to access the data on the encrypted disk to obtain forensic evidence. What tasks should be done? (Choose two.)

Harness the processing power of thousands of Internet computers and attempt to crack the encryption passphrase.

Obtain a warrant.

Install a packet sniffer on the suspect’s network.

Install a keylogger to capture the passphrase.

Answer 28

Obtain a warrant.

Install a keylogger to capture the passphrase.

A warrant should be obtained to install a keylogger on the suspect’s computer. A keylogger captures everything typed in, including passphrases used to decrypt hard disks

Question 29

A seized USB flash drive contains only natural scenic pictures. Law enforcement officers were convinced incriminating data was stored on the USB flash drive. What else should be done?

Decrypt the USB flash drive.

Check for steganographic hidden data.

Analyze the USB flash drive log.

Answer 29

Check for steganographic hidden data.

Steganography is the art of concealing data within other data, such as hiding messages within pictures. There are tools that can identify whether this is the case

Question 30

Richard, a meteorologist, is using specialized algorithms to develop climate projection models based on 30TB of weather data collected over the years. Which term best describes this scenario?

Massive data analysis

Weather analysis

Big data analysis

Answer 30

Big data analysis

Big data analysis refers to using specialized tools or algorithms to analyze large volumes of data