2.6.7 Practice Questions

After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take? Restore and repair any damage Deploy new countermeasures Update the security policy Back up all logs and audits regarding the incident

Which of the following is an important aspect of evidence gathering? Restoring damaged data from backup media Monitoring user access to compromised systems Backing up all log files and audit trails Purging transaction logs

During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first first to protect your network while still preserving evidence? Run a packet sniffer to monitor traffic to and from the access point Connect to the access point and examine its logs for information See who is connected to the access point and attempt to find the attacker Disconnect the access point from the network

You have discovered a computer that is connected to your network and was used for an attack. You have disconnected the computer from the network to isolate it and stop the attack. What should you do next? Stop all running processes Make a hash of the hard drive Clone the hard drive Perform a memory dump

You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first? Turn off the system Document what's on the screen Stop all running processes Remove the hard drive

Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence? Photographs File directory listing Serial number notation Hashing

When duplicating a drive for forensic investigation purposes, which of the following copying methods is most appropriate? Drive mirroring Active sector cloning Bit-level cloning File-by-file copying

How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence? Enable write protection Write a log file to the media Create a checksum using a hashing algorithm Reset the file attributes on the media to read-only

You manage the network for your company. You have recently discovered information on a computer hard drive that might indicate evidence of illegal activity. You want to perform forensic activities on the disk to see what kind of information it contains. What should you do first? Fire the employee who uses the computer Obtain a search warrant Make a bit-level copy of the disk Run forensic tools to examine the hard drive contents

What is the best definition of a security incident? Compromise of the CIA of resources Criminal activity Interruption of productivity Violation of a security policy

What is the most important element related to evidence in addition to the evidence itself? Completeness Chain of custody document Witness testimony Photographs of the crime scene

The chain of custody is used for which purposes? Detailing the timeline between creation and discovery of evidence Retaining evidence integrity Identifying the owner of the evidence Listing people coming into contact with evidence

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this? Rules of evidence Chain of custody CPS (certificate practice statement) FIPS-140

Hashing

Bit-level cloning

File-by-file copying, active sector cloning, and drive mirroring

Chain of custody document

You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must your configure in order to see all the network traffic?

Which of the following accurately describes what a protocol analyzer is used for? (Select two)

Which of the following tools would you use to validate the bandwidth on your network and identify when the bandwidth is significantly below what is should be?

Which of the following tools would your use to simulate a large number of client connections to a website, est file downloads for an FTP site, or simulate large volumes of email?

You want to examine the data on your network to find out if any of the following are happening: Users are connecting to unauthorized websites; Cleartext password are allowed by protocols or services; Unencrypted traffic that contains sensitive data is on the network. Which of the following tools would you use?