The security manager received a report that an employee was involved in illegal activity and has saved data to
a workstation’s hard drive. During the investigation, local law enforcement’s criminal division confiscates the
hard drive as evidence. Which of the following forensic procedures is involved?

A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from
the network and an image of the hard drive has been created. However, the system administrator stated that
the system was left unattended for several hours before the image was created. In the event of a court case,
which of the following is likely to be an issue with this incident?

Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a
given time.
Which of the following does this illustrate?

A recent intrusion has resulted in the need to perform incident response procedures. The incident response
team has identified audit logs throughout the network and organizational systems which hold details of the
security breach. Prior to this incident, a security consultant informed the company that they needed to
implement an NTP server on the network. Which of the following is a problem that the incident response team
will likely encounter during their assessment?

A system administrator is responding to a legal order to turn over all logs from all company servers. The system
administrator records the system time of all servers to ensure that:

The incident response team has received the following email message.
From: monitor@ext-company.com
To: security@company.com
Subject: Copyright infringement
A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT.
After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident.
09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john
09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne
10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov
11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok
Which of the following is the MOST likely reason why the incident response team is unable to identify and
correlate the incident?

Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given a limited budget,
which of the following would BEST assist Joe with detecting this activity?

A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were
facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the
proper direction. Which of the following types of controls is being used?

A security technician wishes to gather and analyze all Web traffic during a particular time period.
Which of the following represents the BEST approach to gathering the required data?

A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allowfor faster imaging to a second hard drive?