Which of the following best defines a Computer Security Incident Response Team (CSIRT)?

If an employee’s computer has been used by a fraudulent employee to commit a crime, the hard disk may be
seized as evidence and once the investigation is complete it would follow the normal steps of the Evidence Life
Cycle. In such case, the Evidence life cycle would not include which of the following steps listed below?

If an organization were to monitor their employees’ e-mail, it should not:

Which of the following is a problem regarding computer investigation issues?

When should a post-mortem review meeting be held after an intrusion has been properly taken care of?

When referring to a computer crime investigation, which of the following would be the MOST important step
required in order to preserve and maintain a proper chain of custody of evidence:

In order to be able to successfully prosecute an intruder:

When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of
the following actions should be done as a first step if you wish to prosecute the attacker in court?

When a possible intrusion into your organization’s information system has been detected, which of the following
actions should be performed first?

Why would a memory dump be admissible as evidence in court?