4.9 Given a scenario, use data sources to support an investigation

This set of flashcards covers important concepts related to data sources for incident response and digital forensics as discussed in the lecture.

In the context of an incident response case, a _______ is something that can be subjected to analysis to discover indicators.

data source

Common data sources include log files from network appliances, system memory, and _______ generated by host computers.

media device file system data

The 'Vs' that describe issues with large amounts of data include volume, velocity, variety, ________, and value.

veracity

A security information and event management (SIEM) tool aggregates and correlates multiple _______ sources.

data

An event dashboard provides a console to support day-to-day incident response and gives a summary of information drawn from underlying _______ sources.

data

A SIEM can be used for alert reporting and ________ reports that communicate the level of threats and incidents.

status

Operating systems maintain logs to record _______ as users and software interact with the system.

events

Windows logs include Application, Security, and _______ logs.

System

Linux distributions can use syslog or _______ for logging events, depending on the system.

Journald

The source of logged events will typically include a host or network address, a process name, and categorization/______ fields.

priority

An application log file is managed by an _______ rather than the operating system.

application

An endpoint log monitors events from security software running on the host rather than the OS, and can include host-based firewalls and _______ detection.

intrusion

A vulnerability scanner can log each _______ detected to a SIEM.

vulnerability

Network logs are generated by appliances such as routers and _______.

firewalls

A firewall audit event will record a date/timestamp, the interface on which the rule was triggered, whether the rule matched incoming or _______ traffic.

outgoing

Analyzing packet contents can help reveal the tools used in an _______.

attack

Metadata can help establish timeline questions, such as when and where a _______ occurred.

breach

An email's Internet header includes address information for the recipient and sender, plus details of the servers handling _______ transmission.

message

The MTA routes the message to the recipient, with the message passing via one or more additional _______ servers.

SMTP