Udemy-Domain 7

Question 1

a chain of custody form would record the following 4 things:

Answer 1

Who handled the evidence
What they did with it
Where they had it
When they had it

Question 2

a hard drive has ___ going around (like grooves in a vinyl record) and ___ going out from the center like pie slices. Where these intersect is called a ___ and groups of adjacent ones are called ___

Answer 2

tracks; sectors; track sectors; clusters

Question 3

the 4 types of disk-based forensic data are

Answer 3

allocated space
unallocated space
slack space
bad blocks/clusters/sectors

Question 4

Network forensics can be of the first type where ___ and the second type where ___ which technically requires a search warrant or approval

Answer 4

we monitor traffic for anomalies;

data is reassembled from traffic

Question 5

collecting network data for forensics can either be ___, where the traffic is stored for later analysis, or ___, where each packet is analyzed in real-time, and only some is stored

Answer 5

catch if you can (requires more storage);

stop, look and listen (requires more processing power)

Question 6

a security ___ triggers warnings if an ___ happens

Answer 6

alert; event

Question 7

a security ___ consists of multiple adverse events happening on a system or network

Answer 7

incident

Question 8

the difference between a security incident and a security problem is that a problem ___

Answer 8

has an unknown cause and warrants more root cause analysis

Question 9

a security ___ is a non-disruptive failure

Answer 9

inconvenience

Question 10

a security ___ is urgent, an event with potential for loss of life or property

Answer 10

emergency

Question 11

a ___ is an event that causes an entire facility to be unusable for 24 hours or longer

Answer 11

disaster

Question 12

a ___ is an event that destroys a facility

Answer 12

catastrophe

Question 13

a ___ port is configured to capture all the traffic on the network

Answer 13

SPAN

Question 14

one advantage of HIDS over NIDS is that it can see the traffic ___

Answer 14

unencrypted

Question 15

one disadvantage of HIDS over NIDS is that some attacks can ___

Answer 15

disable a HIDS

Question 16

disabling ports on a network workstation should be done from ___

Answer 16

active directory

Question 17

to ensure that ALL devices on a network are properly configured/hardened, use ___

Answer 17

OS images

Question 18

change management is ___, but change control is ___

Answer 18

the entire project of the change; the parts where we control the change

Question 19

one reason to exclude OS files from a backup is ___

Answer 19

to avoid backing up any rootkit programs

Question 20

one difference between incremental and differential backups is that ___ backups do not clear the archive bit

Answer 20

differential

Question 21

a copy backup is like a full backup, except ___

Answer 21

it doesn’t clear the archive bit

Question 22

___ refers to anything computer-related, but ___ refers to anything online

Answer 22

IT security; cyber-security

Question 23

a DRP has the 4 basic steps:

Answer 23

1. Mitigation (reduce likelihood and impact)
2. Preparation (Procedures, tools and training)
3. Response
4. Recovery (restore functionality/production)

Question 24

in Disaster Recovery the Recovery team gets an alternate site up and running (failover), starting with the most critical systems. The Salvage team ___ starting with ___

Answer 24

restores the original infrastructure (failback); the least critical systems (to ensure stability)

Question 25

in a ___, the disaster recovery plan is read by team members looking for glaring omissions or missing sections

Answer 25

DRP review

Question 26

in a ___ DRP review, managers go through the plan to see if they have all the components it calls for

Answer 26

read through (checklist)

Question 27

in a ___ DRP review, managers and critical personnel talk through each process, looking for gaps, omissions or technical inaccuracies

Answer 27

tabletop/structured talk/walkthrough

Question 28

in a ___ DRP review, the team simulates a disaster and personnel respond with their part

Answer 28

simulated test/walkthrough drill

Question 29

in a ___ DRP review, critical components are activated at a secondary site using backups, and compared with the primary system at the end of the day

Answer 29

parallel processing

Question 30

in a ___ DRP review, a single application is interrupted and failed over (after hours) to a secondary facility

Answer 30

partial Interruption

Question 31

in a ___ DRP review, all applications are interrupted and failed over (after hours) to a secondary facility

Answer 31

full interruption

Question 32

DRP plans should be reviewed and updated at least every ___ months

Answer 32

12

Question 33

after updating a DRP, all team members must ___

Answer 33

turn in their copies of the previous plan for destruction

Question 34

warm sites should take between ___ and ___ hours to become functional

Answer 34

4; 24

Question 35

a temporary command and control center during an emergency is called the ___

Answer 35

EOC (Emergency Operation Center)

Question 36

the digital forensics process has 4 steps:

Answer 36

1. Identify potential evidence
2. Acquire the evidence
3. Analyze the evidence
4. Report your findings