A system administrator is responding to a legal order to turn over all logs from all company
servers. The system administrator records the system time of all servers to ensure that:
A.
HDD hashes are accurate.
B.
the NTP server works properly.
C.
chain of custody is preserved.
D.
time offset can be calculated.
Explanation:
It is quite common for workstation times to be off slightly from actual time, and that can happen
with servers as well. Since a forensic investigation is usually dependent on a step-by-step account
of what has happened, being able to follow events in the correct time sequence is critical. Because
of this, it is imperative to record the time offset on each affected machine during the investigation.
One method of assisting with this is to add an entry to a log file and note the time that this was
done and the time associated with it on the system.