An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion
Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security.
When the investigator attempts to correlate the information in all of the logs, the sequence of many of the
logged events do not match up.
What is the most likely cause?
A.
The network devices are not all synchronized.
B.
Proper chain of custody was not observed while collecting the logs.
C.
The attacker altered or erased events from the logs.
D.
The security breach was a false positive.
Explanation:
Time synchronization is an important middleware service of distributed systems, amongst which Distributed
Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5619315&url=http%3A%2F%
2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5619315