210. Log analysis is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

210. c. Log analysis is a part of detective controls because it detects errors and anomalies. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

211. Which of the following facilitates a computer-security incident event correlation?

a. File transfer protocol (FTP)

b. Network time protocol (NTP)

c. Internet protocol (IP)

d. Transmission control protocol (TCP)

211. b. Protocols such as the network time protocol (NTP) synchronize clocks among hosts. This is important for incident response because event correlation will be more difficult if the devices reporting events have inconsistent clock settings.

212. Which of the following is required when computer security evidence is transferred from person to person?

a. Location and serial number of the computer

b. Time and date of evidence

c. Chain of custody forms

d. Locations where the evidence was stored

212. c. Computer security incident evidence is needed for legal proceedings. Evidence should be accounted for at all times; whenever evidence is transferred from person to person; chain of custody forms should detail the transfer and include each party’s signature. The other choices are part of evidence log.

213. Inappropriate usage incidents are not detected through which of the following ways?

a. Precursors

b. User reports

c. User’s screen

d. Threatening e-mail

213. a. Usually there are no precursors (future incidents) of inappropriate usage. User reports, such as seeing inappropriate materials on a user’s screen or receiving a threatening e-mail, are the usual methods to detect inappropriate usage.

214. The outcomes of which of the following phases of a computer forensic process dealing with computer incidents are used to incorporate into future data analysis efforts?

a. Collection

b. Examination

c. Analysis

d. Reporting

214. d. A computer forensic process dealing with computer incidents is composed of four phases: collection, examination, analysis, and reporting. Lessons learned during the reporting phase should be incorporated into future data analysis efforts.

The collection phase is incorrect because it deals with acquiring data from the possible sources of relevant data and complying with the guidelines and procedures that preserve the integrity of the data. The examination phase is incorrect because it applies the tools and techniques to the collected data in order to identify and extract the relevant information while protecting its integrity. The analysis phase is incorrect because it analyzes the results of the examination, which may include the actions used in the examination and recommendations for improvement.

215. In terms of functionality, which of the following is not a part of network forensic analysis tools?

a. Internet service provider records

b. Packet sniffers

c. Protocol analyzers

d. Security event management software

215. a. Internet service providers (ISPs) may collect network traffic-related data as part of their normal operations and when investigating unusual activity, such as extremely high volumes of traffic or an apparent attack. Normal ISP records might be only for days or hours. Forensic data needs to be available until the investigation is completed. ISP records are a secondary source. Network forensic analysis tools typically provide the same functionality as packet sniffers, protocol analyzers, and security event management software. These are primary tools.

216. A search of the malware database did not lead to the identification of the worm. In analyzing the current state of the host, the incident handler feels that the worm has created a backdoor. Which of the following aspects of the host’s current state will identify that backdoor?

a. Unusual connections

b. Unexpected listening ports

c. Unknown processes

d. Unusual entries

216. b. The analyst can look at several different aspects of the host’s current state. It is good to start with identifying unusual connections (e.g., large number, unexpected port number usage, and unexpected hosts) and unexpected listening ports (e.g., backdoors created by the worm). Other steps that may be useful include identifying unknown processes in the running process list, and examining the host’s logs to reveal any unusual entries that may be related to the infection.

217. In a computer-related crime investigation, maintenance of evidence is important for which of the following reasons:

a. To record the crime

b. To collect the evidence

c. To protect the evidence

d. To avoid problems of proof

217. d. It is proper to maintain computer-related evidence. Special procedures are needed to avoid problems of proof caused by improper care and handling of such evidence.

218. An effective strategy to analyze indications to investigate the most suspicious activity is accomplished through which of the following?

a. Using an Internet search engine

b. Creating a diagnosis matrix

c. Synchronizing the clocks

d. Filtering of the incident data

218. d. An incident indication analyst sees a large volume of data daily for analysis, which consumes large amounts of time. An effective strategy is to filter indications so that insignificant indications are not shown or only significant indications are shown to the analyst.

219. Which of the following is directly applicable to computer security incident prioritization?

a. Gap-fit analysis

b. Sensitivity analysis

c. Option analysis