The incident response team has received the following email message.
Subject: Copyright infringement
A copyright infringement alert was triggered by IP address 188.8.131.52 at 09: 50: 01 GMT.
After reviewing the following web logs for IP 184.108.40.206, the team is unable to correlate and identify the incident.
09: 45: 33 220.127.116.11 http: //remote.site.com/login.asp?user=john
09: 50: 22 18.104.22.168 http: //remote.site.com/logout.asp?user=anne
10: 50: 01 22.214.171.124 http: //remote.site.com/access.asp?file=movie.mov
11: 02: 45 126.96.36.199 http: //remote.site.com/download.asp?movie.mov=ok
Which of the following is the MOST likely reason why the incident response team is unable to identify and
correlate the incident?
The logs are corrupt and no longer forensically sound.
Traffic logs for the incident are unavailable.
Chain of custody was not properly maintained.
Incident time offsets were not accounted for.
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as
well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened,
being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the
time offset on each affected machine during the investigation. One method of assisting with this is to add an
entry to a log file and note the time that this was done and the time associated with it on the system.