Writing Assignment: Module 09 Flashcards
What is an incident damage assessment?
The initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets
What are some of the reasons a safeguard or control may not have been successful in stopping or limiting an incident?
Missing, Misconfigured, or Malfunctioning
What must be done with interrupted services during the recovery process?
Compromised services and processes must be examined, verified, and then restored. If services or processes were interrupted in the course of regaining control of the systems, they need to be brought back online.
What procedures should occur on a regular basis to maintain the IR plan?
procedures to complete effective after-action review meetings, a process to complete comprehensive periodic plan review and maintenance
What is digital forensics?
the use of forensic techniques when the source of evidence is a digital electronic device, which includes computer systems, mobile phones, smartphones, tablets, portable music players, and all other electronic devices capable of storing digital information.
What legal issues guide an organization in setting up a forensic capability?
Cost Response time, and Data Sensitivity
How do organizations often divide the practice of digital forensics?
First response and Analysis and Presentation
What are the common roles and duties of a digital forensic first-response team?
Incident Manager, Scribe and Imager.
What factors determine which digital evidence should be collected and in what order?
Value, Volatility, and Effort Required
In forensic analysis, what are the differences between examination and analysis?
involves the use of forensic tools to recover the content of files that were deleted, operating system artifacts (such as event data and logging of user actions), and other relevant facts.
uses those materials to answer the question(s) that gave rise to the investigation.
What type of document is usually required when an organization other than a law enforcement agency obtains authorization for a search?
Warrant
In what important way does search and seizure differ in the public and private sectors?
Private sector doesn’t have broad immunity.
What are the four steps in acquiring digital evidence?
Identify sources of evidentiary material.
Authenticate the evidentiary material.
Collect the evidentiary material.
Maintain a documented chain of custody..
What two hash functions are the most commonly used?
Message Digest (MD-5) and Secure Hash Algorithm (SHA-1, SHA-2, and SHA-3)
What is the purpose of sterile media?
for evidence collection purpose. The evidence must not be tainted.
