Introduction to Computer Forensics and Incident Response Flashcards
What must be determined by the first responder to an incident?
The severity of the event
Which other personnel must be called in
The dollar amount associated with the incident
The severity of the event
A quick assessment of the situation severity by the first responder will determine who needs to be called or what should be done next, based on the incident response policy
After seizing computer equipment alleged to have been involved in a crime, it is placed in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?
Order of volatility
Damage control
Chain of custody
Chain of custody
Chain of custody has been violated. Chain of custody involves documenting evidence being collected thoroughly and legally while ensuring that the evidence cannot be tampered with
A warrant has been issued to investigate a server believed to be used by organized crime to swap credit card information. Following the order of volatility, which data should you collect first?
Electronic memory (RAM)
Hard disk
USB flash drive
Electronic memory (RAM)
The order of volatility determines which data is most at risk of loss. Electronic memory (RAM) data is lost when a device is powered off; therefore, it must be properly collected first
A server configured with a RAID 5 array must be properly imaged to preserve the original state of the data. You decide against imaging each physical hard disk in the array. Which two tasks must you perform? (Choose two.)
Change the server CMOS boot order.
Image the array as a single logical disk.
Ensure that your imaging solution supports RAID.
Update the firmware for the RAID controller.
Image the array as a single logical disk.
Ensure that your imaging solution supports RAID.
You should ensure that your forensic imaging tool supports the RAID controller on the system you must image, and then you should image the disks as a single logical disk
While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult?
The contents of your inbox
The mail server log
The mail server documentation
The mail server log
The mail server log will reveal SMTP activity such as excessive outbound SMTP traffic. Real-time active monitoring of logs can alert administrators immediately, as is the function of an intrusion detection system (IDS). Documentation from previous similar incidents contains lessons learned that can aid in quick remediation
You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize there has been a break-in and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?
Clean up the server room.
Sketch a picture of the broken-into premises on a notepad.
Alert officials that the premise has surveillance video.
Alert officials that the premise has surveillance video.
Video surveillance provides important evidence that could be used to solve this crime
Which of the following best visually illustrates the state of a computer at the time it was seized by law enforcement?
Digital photograph of the motherboard
Screenshot
Visio network diagram
Screenshot
A screenshot can be acquired in many ways and can prove relevant to the particular crime because it may reveal what was happening on the system at the time
Choose the correct order of volatility when collecting digital evidence:
Hard disk, DVD-R, RAM, swap file
RAM, DVD-R, swap file, hard disk
RAM, swap file, hard disk, DVD-R
RAM, swap file, hard disk, DVD-R
Digital forensic evidence must first be collected from the most fragile (power-dependent) locations such as RAM and the swap file. Swap files contain data from physical RAM that were paged to disk to make room for something else in physical RAM. Hard disks are the next most vulnerable because hard disk data can simply be deleted and the hard disk can be filled with useless data to make data recovery difficult. A DVD-R is less susceptible to data loss than hard disks since it is read-only
What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?
Write a Visual Basic script.
Delete files thought to be operating system files.
Ensure that the original disk is pristine and use a hash table on a copy of the files.
Ensure that the original disk is pristine and use a hash table on a copy of the files.
A hash table calculates file hashes for each file. Known standard operating system file hashes can be compared to your file hashes to quickly exclude known authentic files that have not been modified
A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what?
Plaintiff
Defendant
Forensic expert witness
Forensic expert witness
A forensic expert witness has specialized knowledge and experience in a field beyond that of the average person, and thus her testimony is deemed authentic
Which of the following best describes chain of custody?
Delegating evidence collection to your superior
Preserving, protecting, and documenting evidence
Capturing a system image to another disk
Preserving, protecting, and documenting evidence
Preserving, protecting, and documenting evidence is referred to as chain of custody. The legally required implementation of evidence preservation is referred to as “legal hold”
While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which items should you consider? (Choose two.)
Was the message encrypted?
Was the message digitally signed?
Are user public keys properly protected?
Are user private keys properly protected?
Was the message digitally signed?
Are user private keys properly protected?
Digitally signing an e-mail message requires a user’s unique private key to which only he has access, which means he had to have sent the message. One factor used to arrive at this conclusion is how well protected user private keys are. If user private keys are simply stored on a hard disk without a password, anybody could have digitally signed the message
What type of evidence would be the most difficult for a perpetrator to forge?
IP address
Cell phone SIM card
Documents on a USB flash drive
Cell phone SIM card
Cell phone subscriber identification module (SIM) cards contain unique data such as a serial number, the user’s contacts, text messages, and other relevant mobile subscriber data. This is used in Global System for Mobility (GSM) communication mobile devices and enables the user to use any GSM mobile device as long as a SIM card is inserted
What is the purpose of disk forensic software? (Choose two.)
Using file encryption to ensure copied data mirrors original data
Using file hashes to ensure copied data mirrors original data
Protecting data on the original disks
Creating file hashes on the original disks
Using file hashes to ensure copied data mirrors original data
Protecting data on the original disks
A generated file hash is unique to the file on which it was based. Any change to the file invalidates the file hash. This is a method to digitally ensure that the correct version of a file is being analyzed. Data on a seized hard disk must remain intact. Forensic disk software runs on a separate device or boots using its own operating system and uses bitstream copying to copy entire hard disk contents. File hashes should never be generated on the source hard disk; it is imperative that it remain undisturbed
You are preparing to gather evidence from a cell phone. Which of the following is false?
CDMA mobile devices do not use SIM cards.
GSM mobile devices do not use SIM cards.
GSM mobile devices use SIM cards.
GSM mobile devices do not use SIM cards.
Global System for Mobile (GSM) communication devices use subscriber identity module (SIM) cards. This means you could purchase a new GSM mobile device and simply insert your SIM card without having to contact your mobile wireless service provider