Information Systems Security - C845
(PT. 2)
When a storage device is taken in as evidence, what is the first step performed by the
forensic personnel after starting the chain of custody form and writing out the evidence
collection form?
A Write an evidence header file to the storage device.
B Make a hash calculation of the contents.
C Connect the device to a write blocker.
D Create a bit-stream image copy. - answerC. When a storage device is taken in as
evidence, the first step performed by the forensic personnel after starting the chain of
custody form and writing out the evidence collection form is to connect the device to a
write blocker. The purpose of a write blocker is to physically block the signals from a
computer to the storage device that would cause a change to the data on that storage
device. A physical write blocker does not have the electronic pathways connected that
would send write signals to the drive, only ready requests are sent to the storage
device. A write blocker is used as additional insurance against accidental evidence
corruption.
Answer B is incorrect. The first step is NOT make a hash calculation of the contents.
This is an important step, but it should be performed after connecting the suspect's
storage device to the forensic workstation via a write blocker. A hash calculation should
then be the next immediate step to take after connecting the write blocker. Standard
forensic processes would then be followed to create either a bit-stream image copy or a
file copy of the evidence to two forensically cleaned target storage devices. Once the
duplication was completed, hash calculations would be repeated on the original drive,
and hash calculations performed on the target copies. The before, after, and clone
hashes will be compared. If they are all the same, then the original and the copies are
the same and the original retained its integrity. If the hashes are different, then
something about the cloning or capturing process failed.
Answer D is incorrect. The first step is NOT create a bit-stream image copy. The proper
first next step is to connect the storage device to a write blocker. Once that is
accomplished, then the data is hashed, copied, then hashed again. However, bit-stream
copying is not the
Which disaster recovery/emergency management plan testing type is considered the
most cost-effective and efficient way to identify areas of overlap in the plan before
conducting a more demanding training exercise?
A Full failover test
B Structured walk-through test
,C Tabletop exercise
D Simulation test - answerB. Structured walk-through test is both cost effective and
efficient. It involves gathering all the plan participants into a conference room and
discussing roles and activities that are assigned to each person, and individuals may
role-play their assigned activities. Only these staff members have purchasing authority.
Answer A is incorrect. Full failover test is a very expensive test. Full failover testing is a
backup operational technique, which makes the system able to assign extra resources
and to move operations to back-up systems.
Answers C and D are incorrect. Tabletop exercise and simulation test are types of tests.
Tabletop exercises analyze roles and responsibilities and identify additional campus
mitigation needs. In the simulation test, all the steps are followed that are for real
emergency and are instructed by the continuity plan leader.
What type of event is more likely to trigger the business continuity plan (BCP) rather
than the disaster recovery plan (DRP)?
A Several users failing to remember their logon credentials
B A security breach of an administrator account
C A port-scanning event against your public servers in the DMZ
D A level 5 hurricane - answerB. A security breach of an administrator account is a type
of event which is more likely to trigger the business continuity plan rather than the
disaster recovery plan. The compromise of an administrator account can be a serious
issue. It can result in lost data and crashed systems. However, such an event is more
likely to trigger the business continuity plan rather than the disaster recovery plan
because most administrators are compartmentalized and thus do not have enough
power to take down mission critical processes.
Answer D is incorrect. A level 5 hurricane is powerful enough to damage most buildings,
cause the building to collapse, distribute debris throughout the facility, or cause flooding,
especially on lower levels. This type of event is likely a disaster, causing complete
interruption of mission critical processes. Thus a DRP is needed to resolve disaster
level events.
Answer C is incorrect. While port scanning is not a desired occurrence, it is not in and of
itself a serious concern. Port scanning is a systematic interaction with a target to
determine the state or status of some or all of the TCP and UDP ports. Usually a port
scan is performed in such a way to give the attacker information without crashing the
target system or triggering firewall or IDS response. Thus, a port scan should not cause
any damage; thus it should not require any type of response--either BCP, DRP, or even
incident response. If a port scan is configured to operate on a flooding level, then it
could require the response and recovery efforts of security staff at either an incident
response level or higher. But, such an event should be labeled a denial of service attack
rather than a port scan.
,Answer A is incorrect. Users entering incorrect credentials too many times may cause
account lockout, which in turn will require the users
Which is the first phase of the incident response plan?
A Respond
B Analyze
C Prevent and protect
D Detect - answerC
Which option is most accurate regarding a recovery point objective?
A The target time full operations should be restored after disaster
B The time after which the viability of the enterprise is in question
C The point at which the most accurate data is available for restoration
D The point at which the least accurate data is available for restoration - answerC. The
RPO is the location of the most accurate backup data prior to a disaster event.
In the realm of incident response, what is the purpose of the recovery phase?
A To prevent the spread of an infection or harm caused by an intrusion
B To restore the environment back to normal operating conditions
C To assemble an incident response team
D To remove the offending element from the environment - answerB. In the realm of
incident response, the purpose of the recovery phase is to restore the environment back
to normal operating conditions. A typical incident response policy involves several key
steps, including preparation, detection, notification, containment, eradication, recovery,
and feedback review. The recovery phase can include the installation of new
countermeasures to prevent the re-occurrence of the violation.
Answer D is incorrect. Eradication is the removal of the offending element from the
environment. Eradication typically occurs immediately after containment. To some
extent, eradication will prevent further damage, but its primary goal is to remove the
offending element in order to prevent it from being re-used or allowing the attack to be
repeated.
Answer C is incorrect. Assembling an incident response team is part of the preparation
phase.
, Answer A is incorrect. Containment is the incident response phase which has the goal
of preventing further damage to the organization from a known incident. Containment
can include disconnected affected systems, disabling software or hardware,
disconnecting the Internet link, and removing a suspect from the environment.
Which term is used to describe the role of the person who takes physical control of a
crime scene in order to preserve evidence and prevent tampering before the full
forensics team arrives?
A Senior management
B CIRT
C First responder
D BCP team - answerC. A first responder is the person who takes physical control of a
crime scene in order to preserve evidence and prevent tampering before the full
forensics team arrives. The goal of the first responder is to preserve evidence. A first
responder might be an organizational staff member, a non-forensically training law
enforcement officer, or a forensics lab employee to arrive on the scene before the full
forensics team. A first responder should stop all use of items and equipment in the area,
remove all personnel from the area, and preserve the crime scene until the full forensics
team arrives.
Answer D is incorrect. The person who takes physical control of a crime scene is NOT a
business continuity planning (BCP) team. BCP team members do not have the role of
securing a crime scene. BCP team members focus on understanding the threats to
business processes and implementing preventative strategies and designing response
and recovery solutions to address anything that might partially or fully interrupt business
tasks.
Answer B is incorrect. The person who takes physical control of a crime scene is NOT
the computer incident response team (CIRT). CIRT members do not have the role of
securing a crime scene. CIRT members focus on stopping or containing attacks,
removing any offending elements, and then restoring the environment back to normal
conditions promptly. Thus, the CIRT has a goal of restoring normal operations. This is
often in conflict with the goal of forensics which aims at preserving evidence.
Answer A is incorrect. The person who takes physical control of a crime scene is NOT
Senior management. Senior management does not have the role of securing a crime
scene. Senior management's role is to guide and lead the organization.Individuals who
may have the roles of BCP team member, CIRT member, or senior managemen
A clipping level does which of the following?
A Reduces noise signals on the IT infrastructure
B Provides real-time monitoring
(PT. 2)
When a storage device is taken in as evidence, what is the first step performed by the
forensic personnel after starting the chain of custody form and writing out the evidence
collection form?
A Write an evidence header file to the storage device.
B Make a hash calculation of the contents.
C Connect the device to a write blocker.
D Create a bit-stream image copy. - answerC. When a storage device is taken in as
evidence, the first step performed by the forensic personnel after starting the chain of
custody form and writing out the evidence collection form is to connect the device to a
write blocker. The purpose of a write blocker is to physically block the signals from a
computer to the storage device that would cause a change to the data on that storage
device. A physical write blocker does not have the electronic pathways connected that
would send write signals to the drive, only ready requests are sent to the storage
device. A write blocker is used as additional insurance against accidental evidence
corruption.
Answer B is incorrect. The first step is NOT make a hash calculation of the contents.
This is an important step, but it should be performed after connecting the suspect's
storage device to the forensic workstation via a write blocker. A hash calculation should
then be the next immediate step to take after connecting the write blocker. Standard
forensic processes would then be followed to create either a bit-stream image copy or a
file copy of the evidence to two forensically cleaned target storage devices. Once the
duplication was completed, hash calculations would be repeated on the original drive,
and hash calculations performed on the target copies. The before, after, and clone
hashes will be compared. If they are all the same, then the original and the copies are
the same and the original retained its integrity. If the hashes are different, then
something about the cloning or capturing process failed.
Answer D is incorrect. The first step is NOT create a bit-stream image copy. The proper
first next step is to connect the storage device to a write blocker. Once that is
accomplished, then the data is hashed, copied, then hashed again. However, bit-stream
copying is not the
Which disaster recovery/emergency management plan testing type is considered the
most cost-effective and efficient way to identify areas of overlap in the plan before
conducting a more demanding training exercise?
A Full failover test
B Structured walk-through test
,C Tabletop exercise
D Simulation test - answerB. Structured walk-through test is both cost effective and
efficient. It involves gathering all the plan participants into a conference room and
discussing roles and activities that are assigned to each person, and individuals may
role-play their assigned activities. Only these staff members have purchasing authority.
Answer A is incorrect. Full failover test is a very expensive test. Full failover testing is a
backup operational technique, which makes the system able to assign extra resources
and to move operations to back-up systems.
Answers C and D are incorrect. Tabletop exercise and simulation test are types of tests.
Tabletop exercises analyze roles and responsibilities and identify additional campus
mitigation needs. In the simulation test, all the steps are followed that are for real
emergency and are instructed by the continuity plan leader.
What type of event is more likely to trigger the business continuity plan (BCP) rather
than the disaster recovery plan (DRP)?
A Several users failing to remember their logon credentials
B A security breach of an administrator account
C A port-scanning event against your public servers in the DMZ
D A level 5 hurricane - answerB. A security breach of an administrator account is a type
of event which is more likely to trigger the business continuity plan rather than the
disaster recovery plan. The compromise of an administrator account can be a serious
issue. It can result in lost data and crashed systems. However, such an event is more
likely to trigger the business continuity plan rather than the disaster recovery plan
because most administrators are compartmentalized and thus do not have enough
power to take down mission critical processes.
Answer D is incorrect. A level 5 hurricane is powerful enough to damage most buildings,
cause the building to collapse, distribute debris throughout the facility, or cause flooding,
especially on lower levels. This type of event is likely a disaster, causing complete
interruption of mission critical processes. Thus a DRP is needed to resolve disaster
level events.
Answer C is incorrect. While port scanning is not a desired occurrence, it is not in and of
itself a serious concern. Port scanning is a systematic interaction with a target to
determine the state or status of some or all of the TCP and UDP ports. Usually a port
scan is performed in such a way to give the attacker information without crashing the
target system or triggering firewall or IDS response. Thus, a port scan should not cause
any damage; thus it should not require any type of response--either BCP, DRP, or even
incident response. If a port scan is configured to operate on a flooding level, then it
could require the response and recovery efforts of security staff at either an incident
response level or higher. But, such an event should be labeled a denial of service attack
rather than a port scan.
,Answer A is incorrect. Users entering incorrect credentials too many times may cause
account lockout, which in turn will require the users
Which is the first phase of the incident response plan?
A Respond
B Analyze
C Prevent and protect
D Detect - answerC
Which option is most accurate regarding a recovery point objective?
A The target time full operations should be restored after disaster
B The time after which the viability of the enterprise is in question
C The point at which the most accurate data is available for restoration
D The point at which the least accurate data is available for restoration - answerC. The
RPO is the location of the most accurate backup data prior to a disaster event.
In the realm of incident response, what is the purpose of the recovery phase?
A To prevent the spread of an infection or harm caused by an intrusion
B To restore the environment back to normal operating conditions
C To assemble an incident response team
D To remove the offending element from the environment - answerB. In the realm of
incident response, the purpose of the recovery phase is to restore the environment back
to normal operating conditions. A typical incident response policy involves several key
steps, including preparation, detection, notification, containment, eradication, recovery,
and feedback review. The recovery phase can include the installation of new
countermeasures to prevent the re-occurrence of the violation.
Answer D is incorrect. Eradication is the removal of the offending element from the
environment. Eradication typically occurs immediately after containment. To some
extent, eradication will prevent further damage, but its primary goal is to remove the
offending element in order to prevent it from being re-used or allowing the attack to be
repeated.
Answer C is incorrect. Assembling an incident response team is part of the preparation
phase.
, Answer A is incorrect. Containment is the incident response phase which has the goal
of preventing further damage to the organization from a known incident. Containment
can include disconnected affected systems, disabling software or hardware,
disconnecting the Internet link, and removing a suspect from the environment.
Which term is used to describe the role of the person who takes physical control of a
crime scene in order to preserve evidence and prevent tampering before the full
forensics team arrives?
A Senior management
B CIRT
C First responder
D BCP team - answerC. A first responder is the person who takes physical control of a
crime scene in order to preserve evidence and prevent tampering before the full
forensics team arrives. The goal of the first responder is to preserve evidence. A first
responder might be an organizational staff member, a non-forensically training law
enforcement officer, or a forensics lab employee to arrive on the scene before the full
forensics team. A first responder should stop all use of items and equipment in the area,
remove all personnel from the area, and preserve the crime scene until the full forensics
team arrives.
Answer D is incorrect. The person who takes physical control of a crime scene is NOT a
business continuity planning (BCP) team. BCP team members do not have the role of
securing a crime scene. BCP team members focus on understanding the threats to
business processes and implementing preventative strategies and designing response
and recovery solutions to address anything that might partially or fully interrupt business
tasks.
Answer B is incorrect. The person who takes physical control of a crime scene is NOT
the computer incident response team (CIRT). CIRT members do not have the role of
securing a crime scene. CIRT members focus on stopping or containing attacks,
removing any offending elements, and then restoring the environment back to normal
conditions promptly. Thus, the CIRT has a goal of restoring normal operations. This is
often in conflict with the goal of forensics which aims at preserving evidence.
Answer A is incorrect. The person who takes physical control of a crime scene is NOT
Senior management. Senior management does not have the role of securing a crime
scene. Senior management's role is to guide and lead the organization.Individuals who
may have the roles of BCP team member, CIRT member, or senior managemen
A clipping level does which of the following?
A Reduces noise signals on the IT infrastructure
B Provides real-time monitoring
