Lesson 18: Explaining Digital Forensics Flashcards
A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first?
A. RAM
B. Browser cache
C. SSD data
D. Disk controller cache
D
A security expert archives sensitive data that is crucial to a legal case involving a data breach. The court is holding this data due to its relevance. The expert fully complies with any procedures as part of what legal process?
A. Chain of custody
B. Due process
C. Forensics
D. Legal hold
D
A cloud server has been breached. The organization realizes that data acquisition differs in the cloud when compared to on-premises. What roadblocks may the organization have to consider when considering data? (Select all that apply.)
A. On-demand services
B. Jurisdiction
C. Chain of custody
D. Notification laws
A,B,C
An engineer plans to acquire data from a disk. The disk is connected to the forensics workstation and is ready for the engineer. Which steps indicate a correct order of acquisition as they relate to integrity and non-repudiation?
A. 1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image
B. 1. A hash of the disk is made 2. A copy is made of the reference image 3. A second hash is made 4. A bit-by-bit copy is made
C. 1. A copy is made of the reference image 2. A hash of the disk is made 3. A bit-by-bit copy is made 4. A second hash is made
D. 1. A copy is made of the reference image 2. A bit-by-bit copy is made 3. A hash of the disk is made 4. A second hash is made
A
An engineer retrieves data for a legal investigation related to an internal fraud case. The data in question is from an NTFS volume. What will the engineer have to consider with NTFS when documenting a data timeline?
A. UTC time
B. Local system time
C. Time server
D. DHCP server
A
An engineer utilizes digital forensics for information gathering. While doing so, the first focus is counterintelligence. Which concepts does the engineer pursue? (Select all that apply.)
A. Identification and analysis of specific adversary tactics
B. Build cybersecurity capabilities
C. Configure and audit active logging systems
D. Inform risk management provisioning
A,C
Which term defines the practice of collecting evidence from computer systems to an accepted standard in a court of law?
A. Forensics
B. Due process
C. eDiscovery
D. Legal hold
A
A system breach occurs at a retail distribution center. Data from a persistent disk is required as evidence. No write blocker technology is available. Which approach does a security analyst use to acquire the disk?
A. Carving
B. Cache
C. Snapshot
D. Artifact
C
Which of the following is an example of the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial?
A. Legal hold
B. Forensics
C. eDiscovery
D. Due process
C
A systems breach occurs at a manufacturer. The system in question contains highly valuable data. An engineer plans a live acquisition, but ultimately, is not successful. What reason may be stopping the engineer?
A. There is no hibernation file present
B. The tools are not preinstalled or running
C. The crash dump file is missing
D. The pagefile is corrupt
B
