A recent intrusion has resulted in the need to perform incident response procedures. The incident
response team has identified audit logs throughout the network and organizational systems which hold
details of the security breach. Prior to this incident, a security consultant informed the company that they
needed to implement an NTP server on the network. Which of the following is a problem that the
incident response team will likely encounter during their assessment?

A.
Chain of custody

B.
Tracking man hours

C.
Record time offset

D.
Capture video traffic

Explanation:
It is quite common for workstation as well as server times to be off slightly from actual time. Since a
forensic investigation is usually dependent on a step-by-step account of what has happened, being able
to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time
offset on each affected machine during the investigation. One method of assisting with this is to add an
entry to a log file and note the time that this was done and the time associated with it on the system.
There is no mention that this was done by the incident response team.
Incorrect Answers:
A: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it.
When you begin to collect evidence, you must keep track of that evidence at all times and show who has
it, who has seen it, and where it has been. The evidence must always be within your custody, or you’reopen to dispute about possible evidence tampering. In this case there is no mention that the chain of
evidence is in question.
B: Tracking man hours and Expenses go hand-in-hand. In this case the incident response team already has
the evidence.
D: The incident response already has the audit logs pertaining to the incident identified and there is thus
no problem regarding capturing video traffic that might be encountered.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453, 448, 454