CompTIA Exam Questions

Which of the following is the MOST likely reason why the incident response team is unable to identif

seenagape

The incident response team has received the following email message.
From: monitor@ext-company.com
To: security@company.com
Subject: Copyright infringement
A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT.
After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the
incident.
09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john
09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne
10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov
11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=okWhich of the following is the MOST likely reason why the incident response team is unable to identify and
correlate the incident?

A.
The logs are corrupt and no longer forensically sound.

B.
Traffic logs for the incident are unavailable.

C.
Chain of custody was not properly maintained.

D.
Incident time offsets were not accounted for.

Explanation:
It is quite common for workstation times to be off slightly from actual time, and that can happen with
servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has
happened, being able to follow events in the correct time sequence is critical. Because of this, it is
imperative to record the time offset on each affected machine during the investigation. One method of
assisting with this is to add an entry to a log file and note the time that this was done and the time
associated with it on the system.
Incorrect Answers:
A: Corrupted logs would indicate that it had been tampered with and in this case there is no mention of
logs being corrupted, in fact it can still be reviewed successfully.
B: The logs have been reviewed is mentioned in the question thus it is not a matter of it being
unavailable.
C: The chain of custody in forensics refers to how evidence is secured, where it is stored, and who has
access to it. In this case the evidence is clearly available, etc.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453, 448