202. Which of the following computer and network data analysis methods dealing with computer-incident purposes helps identify policy violations?

a. Operational troubleshooting

b. Log monitoring

c. Data recovery

d. Data acquisition

202. b. Various tools and techniques can assist with log monitoring, such as analyzing log entries and correlating log entries across multiple systems. This can assist with incident handling, identifying policy violations, auditing, and other efforts.

Operational troubleshooting is incorrect because it applies to finding the virtual and physical location of a host with an incorrect network configuration, resolving a functional problem with an application, and recording and reviewing the current operating system and application configuration settings for a host.

Data recovery is incorrect because data recovery tools can recover lost data from systems. This includes data that has been accidentally or purposely deleted, overwritten, or otherwise modified.

Data acquisition is incorrect because it deals with tools to acquire data from hosts that are being redeployed or retired. For example, when a user leaves an organization, the data from the user’s workstation can be acquired and stored in case the data is needed in the future. The workstation’s media can then be sanitized to remove all the original user’s data.

203. Which of the following is best for reviewing packet sniffer data?

a. Security event management software

b. Protocol analyzer

c. Log filtering tool

d. Visualization tool

203. b. Packet sniffer data is best reviewed with a protocol analyzer, which interprets the data for the analyst based on knowledge of protocol standards and common implementations.

Security event management software is incorrect because it is capable of importing security event information from various network traffic-related security event data sources (e.g., IDS logs and firewall logs) and correlating events among the sources.

Log filtering tool is incorrect because it helps an analyst to examine only the events that are most likely to be of interest. Visualization tool is incorrect because it presents security event data in a graphical format.

204. What is a technique for concealing or destroying data so that others cannot access it?

a. Antiforensic

b. Steganography

c. Digital forensic

d. Forensic science

204. a. Antiforensic is a technique for concealing or destroying data so that others cannot access it. Steganography is incorrect because it embeds data within other data to conceal it. Digital forensic is incorrect because it is the application of science to the identification, collection, analysis, and examination of digital evidence while preserving the integrity of the information and maintaining a strict chain of custody for the evidence. Forensic science is incorrect because it is the application of science to the law.

205. A search warrant is required:

a. Before the allegation has been substantiated

b. After establishing the probable cause(s)

c. Before identifying the number of investigators needed

d. After seizing the computer and related equipment

205. b. After the allegation has been substantiated, the prosecutor should be contacted to determine if there is probable cause for a search. Because of the technical orientation of a computer-related crime investigation, presenting a proper technical perspective in establishing probable cause becomes crucial to securing a search warrant.

206. Law enforcement agencies have developed personality profiles of computer criminals. Careful planning prior to an actual crime is an example of which one of the following characteristics?

a. Organizational characteristics

b. Operational characteristics

c. Behavioral characteristics

d. Resource characteristics

206. b. In many cases, computer crimes are carefully planned. Computer criminals spend a great deal of time researching and preparing to commit crimes. These are grouped under operational characteristics.

Organizational characteristics describe the ways in which computer criminals group themselves with national and international connections. Behavioral characteristics deal with motivation and personality profiles. Resource characteristics address training and equipment needs and the overall support structure.

207. When ‘n’ incident reports are made by an organization, it can lead to a wrong conclusion that:

a. There are ‘n’ plus one incident.

b. There are ‘n’ minus one incident.

c. There are ‘n’ incidents.

d. There are ‘n’ plus or minus one incident.

207. c. It is important not to assume that because only ‘n’ reports are made, that ‘n’ is the total number of incidents; it is not likely that all incidents are reported.

208. Which of the following should be established to minimize security incident impact?

a. Learning and training

b. Baselining and safeguarding

c. Layering and zoning

d. Testing and sampling

208. c. Layering and zoning requires establishing security layers to minimize incident handling. Zoning or compartmentalizing is a concept whereby an application is segmented into independent security environments. A breach of security requires a security failure in two or more zones/compartments before the application is compromised. This minimizes the impact of a security incident. This layered approach to security can be applied within physical or technical environments associated with an IT system.

Learning is knowledge gained by studying either in the classroom or through individual research and investigation. Training is teaching people the knowledge and skills that can enable them to perform their jobs more effectively. Baseline security is incorrect because it is the minimum-security control required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and availability protection. Sampling is used in testing where a representative sample is taken from a defined population.

209. Which of the following will not be liable when a libel is posted on a national electronic online service such as the Internet?

a. The person who originated the defamatory remark

b. The person who repeated the defamatory remark

c. The person who read the defamatory remark

d. The person who republished the defamatory remark

209. c. Defamation is destroying of a person’s reputation and good name, in the form of a false statement, spoken (slander) or written (libel), and harms that person. Online defamation claims are considered under libel law. The essence of libel is the publication of a false, defamatory, and unprivileged statement to a third person. The originator and each person who repeats or republishes the defamation are liable. The person who read the defamatory work is not liable for anything as long as he or she does not use it in a commercial way.