4_5_1 Section 5 – Operations and Incident Response - 4.5 – Digital Forensics- Digital Forensics

Questions and Answers

What is the primary focus of digital forensics?

Developing new techniques for data gathering

Enhancing security event response times

Improving digital device performance

Collecting and protecting information related to security events (correct)

What document provides guidelines for evidence collection and archiving in digital forensics?

ISO 27001

COBIT 5

RFC 3227 (correct)

NIST 800-53

What are the three phases of the digital forensics process described in RFC 3227?

Identifying, containing, and eradicating

Gathering, examining, and documenting

Acquisition, analysis, and reporting (correct)

Collection, preservation, and presentation

What is often requested by legal counsel as a precursor to other legal proceedings?

Legal hold

What is the term for the data copied for a legal hold, which is often stored in a separate repository?

Electronically stored information (ESI)

Why is it important to be detail-oriented in digital forensics?

Because some of this information could be used later on in a court of law

What is a possible source to consult when examining the time zone settings of a device?

Configuration settings for the operating system

Where can you find log information in a Linux operating system?

/var/log directory

Why is it important to perform user interviews quickly after a security event?

Because people may forget or inaccurately describe the event

What is the purpose of documenting the data acquisition process?

To provide step-by-step information about the data gathering process

What is a challenge of gathering witness statements?

They may not be 100% accurate

What is the final step in the security event analysis process?

Documenting conclusions and inferences

What is the primary responsibility of a security professional when receiving a legal hold?

To gather and maintain the data to preserve everything

What type of information can be provided by video that is normally not available?

Screen information and system details

Why is it important to archive video content?

So that it can be viewed later in reference to a security incident

What is a concern regarding the data collected during a security incident?

That it may not be admissible in a court of law

What is the purpose of documenting the chain of custody?

To verify that nothing has been changed since the data was collected

Why is it important to document the time zone information associated with the device being examined?

To ensure that the timestamps are accurate

What is the purpose of using hashes during the collection process?

To verify that the data is the same as when it was collected

What is a common concern when collecting data from a mobile device?

That the data may not be authorized to be collected

Why is it important to follow proper procedures when gathering data?

To ensure that the data is collected correctly

What is the purpose of maintaining a central database of collected data?

To catalog and document everything that has been collected