Module 8: Forensic Analysis and Incident Response

Question 1

What is computer forensics

Answer 1

A methodical way of gathering evidence from computing equipment and storage devices that can be presented in a court of law

Question 2

What are the computer forensic methodologies basic activities

Answer 2

• Preservation (preserve the integrity of the original evidence)
• Identification (Identify the evidence and its location)
• Extraction (Extract the data from the evidence; the data may be volatile)
• Interpretation (Interpret what the forensic examiner has found)
• Documentation (COC form and documents relating to the evidence analysis)

Question 3

TRUE or FALSE: The evidence acquired from computers is fragile and can be erased or altered

Answer 3

TRUE

Question 4

TRUE or FALSE: Computer forensic tools and methodologies are major components of an organization’s disaster recovery preparedness

Answer 4

TRUE

Question 5

TRUE or FALSE: One of the main objectives of computer forensics is to extract, copy, and document the computer and related materials in such a way that it can be presented as evidence in a court of law

Answer 5

FALSE

A forensic examiner needs to recover, analyze, and preserve computer and related materials

Question 6

How does forensic analysis help in an incident

Answer 6

Determining the exact cause

Question 7

Sometimes there are multiple incidents on a network or different incidents involving computers, forensic analysis can help sort out the incidents by doing what

Answer 7

Generate a timeline

Question 8

When Ashland does her job for legal why is she doing it

Answer 8

Because forensic analysis saves organizations from legal liabilities and lawsuits

Also she is a glutton for punishment but EC Council doesn’t care about that, if you want to pass use the above answer

Question 9

When using forensic analysis of the affected system how does it help

Or why are we getting Manuel Garcia’s laptop shipped to Savannah to have forensic analysis look at it for that cracked software

Answer 9

Forensic analysis helps in determining the nature of incidents and the impact of the incident

Question 10

What are the objectives of forensic readiness

Answer 10

• Maximizing an environment’s ability to collect credible digital evidence
• Minimizing the cost forensics during an incident response

Question 11

What happens when a company has a lack of forensic readiness

Answer 11

• Loss of clients by damaging the organization’s reputation
• System downtime
• Data manipulation, deletion, and theft

Question 12

What are the different types of forensics

Answer 12

• Disk forensics (data stored on physical storage media)
• Network forensics (sniffing the network traffic)
• E-mail forensics (Studying the source and content of an email)
• Internet forensics (Analysis of various web applications)
• Source code forensics (Determining the software ownership and copyright issues)

Question 13

What is a computer forensic investigator

Answer 13

A person who handles the investigation process.

They must have a general knowledge of computer hardware & software, be able to protect the digital evidence, and be properly certified

Question 14

Who are some of the people involved in computer forensics according to EC Council

Answer 14

• Attorney
• Photographer
• Incident Responder
• Decision Maker
• Incident Analyzer
• Evidence Examiner/Investigator
• Evidence Documenter
• Evidence Manager
• Expert Witness

Question 15

What is the forensics process

Answer 15

• Preparation (Building a forensic strategy)
• Collection (Gather any evidence associated with the incident)
• Examination (Processing large amounts of collected data)
• Analysis (Data has be analyzed to draw conclusions in support of the case)
• Reporting

Question 16

What is digital evidence

Answer 16

Any information of probative value that is either stored or transmitted in a digital form

Question 17

TRUE or FALSE: Collection and preservation of digital evidence is easy

Answer 17

FALSE

It is difficult because digital evidence is fragile in nature and can be altered or erased without a trace

Question 18

What are characteristics of the digital evidence

Answer 18

• Admissible (Related to the face being proven)
• Authentic (Evidence must be real and related to the incident)
• Complete (The evidence must show the complete picture)
• Reliable (Evidence must not cast any doubt)
• Believable (Evidence must be clear and understandable)

Question 19

What are the electronic evidence that can be collected

Answer 19

• Data Files (Desktops/laptops/servers)
• Backup Tapes (System-wide backups/Disaster recovery backups/Personal backups)
• Other Media Sources (Hard Drives/Portable media/Tape archives)

Question 20

TRUE or FALSE: You need to record the extent of the system’s clock drift when collecting electronic evidence

Answer 20

TRUE

Question 21

If you are at a crime scene and the computer is turned off what does that mean for the data

Answer 21

The data which is not saved can be lost permanently

Question 22

After an incident, if a user writes some data to the system what happens to the data/evidence

Answer 22

It may overwrite the crime evidence

Question 23

TRUE or FALSE: Digital evidence isn’t circumstantial

Answer 23

FALSE

It makes it difficult to forensics investigator to differentiate the system’s activity

Question 24

TRUE or FALSE: A forensic policy should outline things to do if information is exposed accidentally

Answer 24

TRUE

Question 25

Which document helps in protecting evidence from physical or logical damage

Answer 25

Chain-of-Custody

Question 26

Who is responsible for examining the evidence acquired and separating the useful evidence

Answer 26

Evidence Examiner/Investigator