A recent intrusion has resulted in the need to perform incident response procedures. The incident response
team has identified audit logs throughout the network and organizational systems which hold details of the
security breach. Prior to this incident, a security consultant informed the company that they needed to
implement an NTP server on the network. Which of the following is a problem that the incident response team
will likely encounter during their assessment?
Chain of custody
Tracking man hours
Record time offset
Capture video traffic
It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic
investigation is usually dependent on a step-by-step account of what has happened, being able to follow events
in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each
affected machine during the investigation. One method of assisting with this is to add an entry to a log file andnote the time that this was done and the time associated with it on the system. There is no mention that this
was done by the incident response team.