Lesson 14 Questions
Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors
The data or resources a function produces
What is the significance of the fact that digital evidence is latent?
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
What software tools may be of use to a forensic investigator seeking to prepare a hard drive for analysis of its contents?
Disk imaging software to make a copy of the drive (including boot sectors and free space) plus cryptographic software to make a hash of the drive contents. This helps to prove that the contents of the drive have not been tampered with by the investigator (or anyone else) since the drive was taken as evidence.
What is the significance of "order of restoration"?
If a site suffers a critical failure (such as complete power loss), simply switching all the systems back on at the same time can cause additional failures (often of greater severity). Order of restoration specifies the dependencies that must be met before a specific part of the system is brought back online.
You've fulfilled your role in the forensic process and now you plan on handing the evidence over to an analysis team. What important process should you observe during this transition, and why?
It's important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person's custody. This is an important tool in validating the evidence's integrity.
Redundant Array of Independent Disks (RAID) is installed with data written to two disks with 50% storage efficiency. Which RAID level has been utilized?
Level 1
A company determines the mean amount of time to replace or recover a system. What has the company calculated
MTTR
What metric is used to identify the expected service lifetime of a non-repairable appliance?
Mean Time to Failure (MTTF).
A company is working to restore operations after a blizzard stopped all operations. Evaluate the order of restoration and determine the correct order of restoring devices from first to last.
Routers, firewalls, Domain Name System (DNS), client workstations
How might "big data" assist with a forensic examination of a computer hard drive?
"Big data" visualization or frequency analysis might help to identify information stored on the disk. Often this lets information to be shown in a graphical or pictorial form, which allows patterns to emerge that may not be obvious when looking at the data using traditional methods.
A critical server has a high availability requirement of 99.99%. Solve the Maximum Tolerable Downtime (MTD) in hh:mm:ss to conclude which option will meet the requirement
00:49:23
Select the example that provides an accurate simulation of a company engaging in the identifying threats phase of risk management
A company conducts research to determine why vulnerabilities may be exploited
Analyze automation strategies to differentiate between elasticity and scalability. Which scenarios demonstrate scalability?
A company is hired to provide data processing for ten additional clients and has a linear increase in costs for the support. A company has a 10% increase in clients and a 5% increase in costs.
What is a risk register?
A document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
What is a tabletop exercise?
A non-simulated drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated.
How does elasticity differ from scalability?
A scalable system is one that responds to increased workloads by adding resources without exponentially increasing costs. An elastic system is able to assign or unassign resources as needed to match either an increased workload or a decreased workload.
Apart from natural disaster, what type of events threaten physical damage to assets?
Accidental damage, vandalism, war/terrorism.
How does RAID support fault tolerance?
Aside from RAID 0, RAID provides redundancy between a group of disks, so that if one disk were to fail, that data may be recoverable from the other disks in the array.
As part of its backup process, Develetech created a backup of its entire customer records database on Monday. On Tuesday, Develetech created a backup only from the changes made between Monday and Tuesday. On Wednesday, Develetech created a backup only from the changes made between Monday and Wednesday. What type of backup is Develetech doing?
Differential
What is the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial an example of
eDiscovery
Why are disaster recovery exercises an important part of creating a disaster recovery plan?
Full-scale or functional exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan.
natural disaster has resulted in a company moving to an alternative processing site. The company has operations moved within a few hours as a result of having a building with all of the equipment and data needed to resume services. Evaluate the types of recovery sites to determine which the company is utilizing
Hot site
What security considerations affect an alternate hot site that do not generally apply to warm or cold sites?
Hot sites are generally kept live with a current data set, requiring duplication of security measures required to secure the resources, especially if the site is not fully manned or occupied.
Which two metrics must you reduce in order to meet an MTD target?
In order to meet the maximum tolerable downtime (MTD) for a business function, the Recovery Time Objective (RTO) and Work Recovery Time (WRT) of any systems that support it cannot exceed the MTD value.
What risk is there in leasing alternate sites (as opposed to owning them)?
In the event of a widespread disaster, demand can outstrip supply. This was sadly found to be the case in the aftermath of the 9/11 terrorist attack and the Hurricane Katrina natural disaster.
Evaluate the metrics associated with Mission Essential Functions (MEF) to determine which example is demonstrating Work Recovery Time
It takes three hours to restore a system from backup, reintegrate the system, and test functionality.
Is RAID mirroring a backup technology?
No. RAID mirroring provides fault tolerance in the event of a mechanical failure of a hard drive. Backup provides protection for data in the event of volume failure, data corruption, accidental or malicious destruction, and so on.
How does non-persistence reduce risk?
Non-persistence means that any code or configuration that does not conform to the deployment template or master image is removed when a system is restored (or rebooted). This mitigates against the risk of malware continuing to infect a system or an adversary maintaining access to a compromised host.
What should be the first action at a crime scene during a forensic investigation?
Preserve the crime scene by recording everything as is, preferably on video.
How is system availability typically expressed?
Quantitatively, using uptime statistics such as "99.99%," "99.9%," "99%," etc.
What type of risk mitigation option is offered by purchasing insurance?
Risk transference.
What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of Occurrence).
What factor is most likely to reduce a system's fault tolerance?
Single points of failure.
What phrase describes ensuring that critical functions remain properly staffed in the event of employee fatalities?
Succession planning.
What factors determine the selection of security controls in terms of an overall budget?
The risk (as determined by impact and likelihood) compared to the cost of the control. This metric can be calculated as Return on Security Investment (ROSI).
Why might a file time stamp not show the time at which a crime was committed?
The time stamp may record the Universal Coordinated Time rather than the local time. An offset would need to be applied (and it might need to be demonstrated that the computer's time zone was correctly set).
Assume that there are 100 servers, and the administrators can only recover 20 at a time before moving on to the next 20. Does this cause a conflict with the organization's RTO? Why or why not?
This does not necessarily cause a conflict with the organization's RTO. If the MTTR is 8 hours, then it will take 40 hours to recover 5 sets of 20 servers. Since 40 hours is less than the RTO of 2 days (48 hours), the organization can still hit its objective.
Why might an organization implement backups using incremental sets along with full sets rather than just full sets?
To minimize backup time and storage media usage.
What is an automated course of action?
Using Software Defined Networking (SDN), virtualization, and scripted or programmed deployment (DevOps) to provision an alternative processing site or facility automatically in response to an event or trigger.
In which types of recovery site(s) would you expect to have to install computer equipment?
While definitions vary, this is typically true of cold sites only. Warm sites have existing processing capability but not the latest data set, as hot sites would have.
