MIS 6333 QUIZ 1 (WEEK 1 & 2)

What are the goals of security?

Confidentiality
Integrity
Availability

What is forensics?

Application of science to legal problems

What is digital forensics?

Application of science to provide an explanation to what has and has not happened in a system, and to preserve integrity and maintain chain of custody

What is volatile data?

Data that will event not be available for collection over time.

Examples of volatile data (Physical and Digital)

Blood, hair

Dying Laptop/phone, computer RAM

How is the order of volatility determined?

The lifetime of the data

Highest: CPU, Cache, Register contents
Lowest: Archival media & Backups

What is Chain of custody

Tracks the movement of evidence, who touched it, etc.

What is a Legal Hold (Litigation Hold)

Prevents others from altering evidence in any way, such as in the situation where that evidence may be important

What is a Hold Notification

A notification to preserve evidence in its current state and previous any form of alteration

What is the purpose of capturing a system image?

It creates a replica of a system's physical memory

Allows people to work with and manipulate a copy of evidence for further investigation

Important since working with the original evidence may corrupt the original data

What is the purpose of obtaining network/traffic logs? Where can they be obtained?

Data acquisition and investigation. 

Firewalls, network flow data, event logs

What is an incident?

Essentially any threat-level event. Not all incidents have the same threat-level, and often some incidents are bigger than others.

What is Incident management?

Refers to the plans that an organization should take to correct hazards and prevent them in the future

What is an incident response plan?

The instructions that help an organization perform incident management: Helps to detect, respond to, and recover from security incidents

What are the phases of an incident response plan?

Preparation
Identification
Containment
Eradication/Recovery
Lessons Learned

What is a CSIRT?

Cyber Security Incident Response Team. 

The team in charge of creating and enforcing the Incident Response Plan

What is the primary goal of incident response?

To effectively remove a threat from the environment while minimizing damages and restoring operations asap

What are the six questions that a digital forensics team answers?

Who
What
Where
When
Why
and How

What is the Incident Response Process?

Preparation
Detection
Analysis
Containment
Eradication & Recovery
Post Incident Activity (Lessons Learned)

What does Chain of Custody protect?

The Integrity of the evidence

What are the types of digital evidence?

Persistent Data and Volatile Data

What are the 5 rules of Evidence

Admissible
Authentic
Complete
Reliable
Believable
Relevant

What is Locard's Exchange Principle?

Every contact, no matter how slight, will leave a trace

What is the best practice in terms of handling digital evidence?

Digital evidence can be contaminated, and therefore you always make a copy, and only ever analyze the copy

What are the categories of digital forensics?

Network forensics
Database forensics
Mobile device forensics
and more

What are some methods for data evidence collection?

Full-disk forensic imaging
Drag and Drop Collection
Targeted Forensic Collection
Volatile Data Collection
Live System Imaging

What are the three areas of preparation?

Prepare the organization
Prepare the Incident Response Team
Prepare the infrastructure

What is the policy for secure storage and handling of evidence?

Must be in a tamper-proof bag or tamper-proof state
Access is controlled
Chain of custody is included

What are the main two types of evidence collection?

Background evidence collection
Foreground evidence collection

What is the difference between Background and Foreground evidence collection?

Background evidence refers to passive data collection, collected as part of normal procedure

Foreground evidence refers to active data gathered to detect crime or identify criminals. Sometimes referred to monitoring

What is the different between reactive and proactive digital forensics?

RDF responds to a crime after the fact
PDF prepares for the eventuality of the crime occurring

What are some types of Intrusion detection?

Honeypots
Tampering detection
Outbound packet inspection
Network mapping