4_5_1 Section 5 – Operations and Incident Response - 4.5 – Digital Forensics- Digital Forensics

Questions and Answers

What is the primary focus of digital forensics?

• Developing new techniques for data gathering
• Enhancing security event response times
• Improving digital device performance
• Collecting and protecting information related to security events (correct)

What document provides guidelines for evidence collection and archiving in digital forensics?

• ISO 27001
• COBIT 5
• RFC 3227 (correct)
• NIST 800-53

What are the three phases of the digital forensics process described in RFC 3227?

• Identifying, containing, and eradicating
• Gathering, examining, and documenting
• Acquisition, analysis, and reporting (correct)
• Collection, preservation, and presentation

What is often requested by legal counsel as a precursor to other legal proceedings?

Legal hold (D)

What is the term for the data copied for a legal hold, which is often stored in a separate repository?

Electronically stored information (ESI) (D)

Why is it important to be detail-oriented in digital forensics?

Because some of this information could be used later on in a court of law (A)

What is a possible source to consult when examining the time zone settings of a device?

Configuration settings for the operating system (D)

Where can you find log information in a Linux operating system?

/var/log directory (C)

Why is it important to perform user interviews quickly after a security event?

Because people may forget or inaccurately describe the event (A)

What is the purpose of documenting the data acquisition process?

To provide step-by-step information about the data gathering process (D)

What is a challenge of gathering witness statements?

They may not be 100% accurate (A)

What is the final step in the security event analysis process?

Documenting conclusions and inferences (D)

What is the primary responsibility of a security professional when receiving a legal hold?

To gather and maintain the data to preserve everything (A)

What type of information can be provided by video that is normally not available?

Screen information and system details (D)

Why is it important to archive video content?

So that it can be viewed later in reference to a security incident (D)

What is a concern regarding the data collected during a security incident?

That it may not be admissible in a court of law (D)

What is the purpose of documenting the chain of custody?

To verify that nothing has been changed since the data was collected (D)

Why is it important to document the time zone information associated with the device being examined?

To ensure that the timestamps are accurate (C)

What is the purpose of using hashes during the collection process?

To verify that the data is the same as when it was collected (D)

What is a common concern when collecting data from a mobile device?

That the data may not be authorized to be collected (B)

Why is it important to follow proper procedures when gathering data?

To ensure that the data is collected correctly (B)

What is the purpose of maintaining a central database of collected data?

To catalog and document everything that has been collected (C)

Flashcards are hidden until you start studying