141

Chapter 8 Questions
20 points
1. What is an incident damage assessment?
a. The initial determination of the scope of the breach of confidentiality, integrity,
and availability of information and information assets.
2. What are some of the reasons a safeguard or control may not have been successful
in stopping or limiting an incident?
a. A malfunctioning or misconfigured network security device, such as a firewall,
router, or VPN connection, or by a breach in policy or data protection procedures.
3. What must be done with interrupted services during the recovery process?
a. They must be examined, verified, and then restored.
4. What procedures should occur on a regular basis to maintain the IR plan?
a. Complete an effective after-action review meetings, complete comprehensive
periodic plan review and maintenance, continue the training of staff members who
will be involved in IR, as well as a continuing process of rehearsing plan actions
in order to maintain readiness for all aspects of the incident plan.
5. What is digital forensics?
a. Digital forensics is the use of forensic techniques when the source of evidence is a
digital electronic device, which includes computer systems, mobile phones,
smartphones, tablets, portable music players, and all other electronic devices
capable of storing digital information.
6. What guides an organization in setting up a forensic capability?
a. It depends on the size and nature of the organization, and on the available
resources. Organizations should consider the following:

Chapter 8 Questions
20 points
i. Cost — This includes the costs of the tools, hardware, and other
equipment used to collect and examine digital information as well as the
costs for staffing and training.
ii. Response time — Although an outside forensic consultant may seem
cheaper because the service is only paid for when actually used, the
interruption to normal business operations while the consultant gets into
place and up to speed may turn out to be more expensive than maintaining
an in-house forensic capability.
iii. Data sensitivity — Providing access to outside consultants may
complicate their use. Forensic data collection can expose highly sensitive
information, such as personal health records, credit card information, and
business plans.
7. How do organizations often divvy up the practice of digital forensics?
a. First response — Assessing the “scene,” identifying the sources of relevant digital
information and preserving it for later analysis using sound processes
b. Analysis and presentation — Analyzing the collected information to identify
material facts that bear on the subject of the investigation; preparing and
presenting the results of the analysis to support possible legal action
8. What are the common roles and duties of a digital forensic first-response team?
a. Incident manager — Surveys the scene and identifies sources of relevant
information. Also orchestrates the work of the other team members and usually
produces any photo-graphic documentation
b. Scribe — Produces the written record of the team ’ s activities and maintains
Chapter 8 Questions
20 points
control of the field evidence log and locker
c. Imager — Collects photocopies or makes photographic images of digital evidence
9. What factors determine which digital evidence should be collected and in what
order?
a. Value — The likely usefulness of the information
b. Volatility — The stability of the information over time, some types of information
becoming lost when the power is cut and by default over time.
c. Effort required — The amount of time required to acquire a copy of the
information
10. In forensic analysis, what are the differences between examination and analysis?
a. The examination phase involves the use of forensic tools to recover the content of
files that were deleted, operating system artifacts, and other relevant facts. The
analysis phase uses those materials to answer the questions that gave rise to the
investigation.
11. What type of document is usually required when an organization other than a law
enforcement agency obtains authorization for a search?
a. An affidavit which furnishes much of the same information usually found in a
public sector search warrant.
12. In what main way does search and seizure differ in the public and the private
sectors?
a. In general, a law enforcement organization cannot be sued for its conduct during
an investigation, whereas a private organization can become the target of a

Chapter 8 Questions
20 points
retaliatory lawsuit for damages arising from an investigation that proves to be
groundless.
13. What are the four steps in collecting digital evidence?
a. Identify sources of evidentiary material.
b. Authenticate the evidentiary material.
c. Collect the evidentiary material.
d. Maintain a documented chain of custody.
14. What is the purpose of sterile media?
a. To prove that the relevant evidence did not come from somewhere else or was
somehow tainted in the collection process.
15. What type of forensics is used for practices that continue to operate while being
examined?
a. A live acquisition is used on systems that are operating while being examined.
16. What types of information are missed by a normal copying process but included in a
forensic image?
a. Deleted files and file fragments are generally missed by normal copying
processes.
17. What is the relationship between forensics and anti-forensics, and why is it
important to the forensics investigator?
a. Anti-forensics involves an attempt made by those who may become subject to
digital forensic techniques to obfuscate or hide items of evidentiary value.
18. Why is cryptography a good thing for IT workers but a bad thing for forensic
Chapter 8 Questions
20 points
investigators?
a. Encrypted information poses significant challenges to forensic investigators
because, by its nature, encryption conceals the content of digital material.
19. When is the involvement of law enforcement optional in a forensics investigation?
Who should make this determination?
a. As long as the incident does not violate a civil or criminal law, it is optional. The
CSIRT should make the ultimate decision.

141

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

141

Uploaded by

Copyright:

Available Formats

Chapter 8 Questions

1. What is an incident damage assessment?

a. The initial determination of the scope of the breach of confidentiality, integrity,

and availability of information and information assets.

in stopping or limiting an incident?

a. A malfunctioning or misconfigured network security device, such as a firewall,

router, or VPN connection, or by a breach in policy or data protection procedures.

a. They must be examined, verified, and then restored.

4. What procedures should occur on a regular basis to maintain the IR plan?

a. Complete an effective after-action review meetings, complete comprehensive

will be involved in IR, as well as a continuing process of rehearsing plan actions

in order to maintain readiness for all aspects of the incident plan.

5. What is digital forensics?

digital electronic device, which includes computer systems, mobile phones,

capable of storing digital information.

6. What guides an organization in setting up a forensic capability?

resources. Organizations should consider the following:

equipment used to collect and examine digital information as well as the

costs for staffing and training.

ii. Response time — Although an outside forensic consultant may seem

interruption to normal business operations while the consultant gets into

an in-house forensic capability.

iii. Data sensitivity — Providing access to outside consultants may

information, such as personal health records, credit card information, and

7. How do organizations often divvy up the practice of digital forensics?

information and preserving it for later analysis using sound processes

b. Analysis and presentation — Analyzing the collected information to identify

presenting the results of the analysis to support possible legal action

a. Incident manager — Surveys the scene and identifies sources of relevant

produces any photo-graphic documentation

control of the field evidence log and locker

c. Imager — Collects photocopies or makes photographic images of digital evidence

a. Value — The likely usefulness of the information

c. Effort required — The amount of time required to acquire a copy of the

enforcement agency obtains authorization for a search?

a. An affidavit which furnishes much of the same information usually found in a

public sector search warrant.

an investigation, whereas a private organization can become the target of a

retaliatory lawsuit for damages arising from an investigation that proves to be

13. What are the four steps in collecting digital evidence?

a. Identify sources of evidentiary material.

b. Authenticate the evidentiary material.

c. Collect the evidentiary material.

d. Maintain a documented chain of custody.

14. What is the purpose of sterile media?

somehow tainted in the collection process.

important to the forensics investigator?

a. Anti-forensics involves an attempt made by those who may become subject to

digital forensic techniques to obfuscate or hide items of evidentiary value.

a. Encrypted information poses significant challenges to forensic investigators

because, by its nature, encryption conceals the content of digital material.

19. When is the involvement of law enforcement optional in a forensics investigation?

Who should make this determination?

CSIRT should make the ultimate decision.

You might also like