When investigating a potential e-mail crime, what is your first step in the investigation?

When monitoring for both intrusion and security events between multiple computers, it is essential that the
computers’ clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place
during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly
when specific events took place, and how events interlace. What is the name of the service used to
synchronize time among multiple computers?

Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which
among the following would be appropriate?

You are assigned to work in the computer forensics lab of a state police agency. While working on a high
profile criminal case, you have followed every applicable procedure, however your boss is still concerned that
the defense attorney might question whether evidence has been changed while at the lab. What can you do to
prove that the evidence is the same as it was when it first entered the lab?

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for
dealing with evidence in a civil case?

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most
file slack to analyze?

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

Which is a standard procedure to perform during all computer forensics investigations?

The MD5 program is used to:

You are working as an investigator for a corporation and you have just received instructions from your manager
to assist in the collection of 15 hard drives that are part of an ongoing investigation.Your job is to complete the required evidence custody forms to properly document each piece of evidence as it
is collected by other members of your team. Your manager instructs you to complete one multi-evidence form
for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help
preserve the chain of custody of the case?