After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take?
Restore and repair any damage
Deploy new countermeasures
Update the security policy
Back up all logs and audits regarding the incident
answer
Back up all logs and audits regarding the incident
question
Which of the following is an important aspect of evidence gathering?
Restoring damaged data from backup media
Monitoring user access to compromised systems
Backing up all log files and audit trails
Purging transaction logs
answer
Backing up all log files and audit trails
question
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first first to protect your network while still preserving evidence?
Run a packet sniffer to monitor traffic to and from the access point
Connect to the access point and examine its logs for information
See who is connected to the access point and attempt to find the attacker
Disconnect the access point from the network
answer
Disconnect the access point from the network
question
You have discovered a computer that is connected to your network and was used for an attack. You have disconnected the computer from the network to isolate it and stop the attack.
What should you do next?
Stop all running processes
Make a hash of the hard drive
Clone the hard drive
Perform a memory dump
answer
Perform a memory dump
question
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?
Turn off the system
Document what's on the screen
Stop all running processes
Remove the hard drive
answer
Document what's on the screen
question
Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Photographs
File directory listing
Serial number notation
Hashing
answer
Hashing
question
When duplicating a drive for forensic investigation purposes, which of the following copying methods is most appropriate?
Drive mirroring
Active sector cloning
Bit-level cloning
File-by-file copying
answer
Bit-level cloning
question
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Enable write protection
Write a log file to the media
Create a checksum using a hashing algorithm
Reset the file attributes on the media to read-only
answer
Create a checksum using a hashing algorithm
question
You manage the network for your company. You have recently discovered information on a computer hard drive that might indicate evidence of illegal activity. You want to perform forensic activities on the disk to see what kind of information it contains.
What should you do first?
Fire the employee who uses the computer
Obtain a search warrant
Make a bit-level copy of the disk
Run forensic tools to examine the hard drive contents
answer
Make a bit-level copy of the disk
question
What is the best definition of a security incident?
Compromise of the CIA of resources
Criminal activity
Interruption of productivity
Violation of a security policy
answer
Violation of a security policy
question
What is the most important element related to evidence in addition to the evidence itself?
Completeness
Chain of custody document
Witness testimony
Photographs of the crime scene
answer
Chain of custody document
question
The chain of custody is used for which purposes?
Detailing the timeline between creation and discovery of evidence
Retaining evidence integrity
Identifying the owner of the evidence
Listing people coming into contact with evidence
answer
Listing people coming into contact with evidence
question
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this?
Rules of evidence
Chain of custody
CPS (certificate practice statement)
FIPS-140
answer
Chain of custody
question
Hashing
answer
Hashing is the method used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence.
question
Bit-level cloning
answer
Only bit-level cloning is recognized as a sufficient method for duplicating hard drives for forensic investigation purposes.
question
File-by-file copying, active sector cloning, and drive mirroring
answer
Insufficient copying methods for forensic investigation purposes. These methods fail to duplicate data that has been deleted or that is stored in the slack space of the drive.
question
Chain of custody document
answer
The chain of custody is used to track the people who came in contact with evidence. The chain of custody starts at the moment evidence is discovered. It lists the identity of the person who discovered, logged, gathered, protected, transported, stored, and presented the evidence. The chain of custody helps to ensure the admissibility of evidence in court.
question
You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must your configure in order to see all the network traffic?
answer
Configure the network interface to use promiscuous mode
question
Which of the following accurately describes what a protocol analyzer is used for? (Select two)
answer
A passive device that is used to copy frames and allow you to view frame contents; A device does not allow you to capture, modify, and re-transmit frames ( to perform an attack).
question
Which of the following tools would you use to validate the bandwidth on your network and identify when the bandwidth is significantly below what is should be?
answer
Throughput tester
question
Which of the following tools would your use to simulate a large number of client connections to a website, est file downloads for an FTP site, or simulate large volumes of email?
answer
Load tester
question
You want to examine the data on your network to find out if any of the following are happening: Users are connecting to unauthorized websites; Cleartext password are allowed by protocols or services; Unencrypted traffic that contains sensitive data is on the network. Which of the following tools would you use?
answer
Protocol analyzer
Haven't found what you need?
Search for quizzes and test answers now
Quizzes.studymoose.com uses cookies. By continuing you agree to our cookie policy