217. In a computer-related crime investigation, maintenance of evidence is important for which of the following reasons:
a. To record the crime
b. To collect the evidence
c. To protect the evidence
d. To avoid problems of proof
217. d. It is proper to maintain computer-related evidence. Special procedures are needed to avoid problems of proof caused by improper care and handling of such evidence.
218. An effective strategy to analyze indications to investigate the most suspicious activity is accomplished through which of the following?
a. Using an Internet search engine
b. Creating a diagnosis matrix
c. Synchronizing the clocks
d. Filtering of the incident data
218. d. An incident indication analyst sees a large volume of data daily for analysis, which consumes large amounts of time. An effective strategy is to filter indications so that insignificant indications are not shown or only significant indications are shown to the analyst.
219. Which of the following is directly applicable to computer security incident prioritization?
a. Gap-fit analysis
b. Sensitivity analysis
c. Option analysis
d. Business impact analysis
219. d. A fundamental concept of business continuity planning is business impact analysis (BIA), which refers to determining the impact of particular events. BIA information for an organization may be directly applicable to security incident prioritization.
The other three choices are not related to security incident prioritization. Gap-fit analysis deals with comparing actual outcomes with expected outcomes. Sensitive analysis focuses on “what if” conditions. Option analysis deals with choices available or not available.
220. From a computer-forensic viewpoint, which of the following is most useful in prosecution?
a. Disk image
b. Standard file system backup
c. Deleted files
d. File fragments
220. a. A disk image preserves all data on the disk, including deleted files and file fragments. A standard file system backup can capture information on existing files, which may be sufficient for handling many incidents, particularly those that are not expected to lead to prosecution. Both disk images and file system backups are valuable regardless of whether the attacker will be prosecuted because they permit the target to be restored while the investigation continues using the image or backup.
221. Which of the following indications is not associated with a network-based denial-of-service attack against a particular host?
a. Unexplained connection losses
b. Packets with nonexistent destination addresses
c. Increased network bandwidth utilization
d. Firewall and router log entries
221. b. Packets with nonexistent destination addresses are an example of possible indications for a network-based denial-of-service (DoS) attack against a network, not a host. The other choices are examples of indications for network-based DoS attacks against a particular host.
222. Which of the following indications is not associated with a malicious action such as root compromise of a host?
a. User reports of system unavailability
b. Highly unusual log messages
c. Unexplained account usage
d. Increased resource utilization
222. d. “Increased resource utilization” is an example of possible indications of malicious action such as unauthorized data modification. The other choices are examples of possible indications of root compromise of a host.
223. From a security incident viewpoint, countermeasures and controls cannot do which of the following?
a. Prevent
b. Detect
c. Respond
d. Recover
223. c. Countermeasures and controls prevent, detect, and recover from security incidents, not respond to them. Incident response emphasizes interactions with outside parties, such as the media/press, law enforcement authorities, and incident reporting organizations. It is not easy to exercise control over these outside parties.
224. Which of the following forensic tools and techniques are useful for complying with regulatory requirements?
a. Operational troubleshooting
b. Data recovery
c. Due diligence
d. Data acquisition