a. 1 and 2
b. 2 and 3
c. 1 and 3
d. 3 and 4
42. a. Major factors to consider in the design of organizational-level log management processes include the network bandwidth, volume of log data to be processed, online and offline data storage, the security needs for the data, and the time and resources needed for staff to analyze the logs. Configuration log sources and performing log analysis deal with system-level log management processes.
43. Regarding log management, the use of which of the following is not likely to be captured in logs?
a. Data concealment tools
b. Antivirus software
c. Spyware detection and removal utility software
d. Host-based intrusion detection software
43. a. The use of most data concealment tools is unlikely to be captured in logs because their intention is to hide. The other three choices are incorrect because they are examples of security applications. Along with content filtering software, they are usually logged.
44. What is the major reason why computer security incidents go unreported?
a. To avoid negative publicity
b. To fix system problems
c. To learn from system attacks
d. To take legal action against the attacker
44. a. Avoiding negative publicity is the major reason; although, there are other minor reasons. This is because bad news can cause current clients or potential clients to worry about their own sensitive information contained in computer systems. Taking legal action is not done regularly because it costs significant amounts of time and money. Fixing system problems and learning from system attacks could be byproducts of a security incident. The other three choices are minor reasons but the overriding reason is avoiding negative publicity.
45. A standard characteristic for perpetrating a computer crime does not include which of the following?
a. Motive
b. Action
c. Opportunity
d. Means
45. b. A person must have a motive, the opportunity, and the means to commit a crime. Action is the resulting decision.
46. Multiple forensic tools (such as forensic, nonforensic, and hybrid) are used to recover digital evidence from a mobile/cell phone. Which of the following can resolve conflicts from using such multiple forensic tools?
a. Virtual machine ware (VMware)
b. Universal subscriber identity module (USIM)
c. Port monitoring
d. Infrared and Bluetooth monitoring
46. a. Conflicts can arise when using multiple forensic tools due to their incompatibility in functional design specifications. One method to resolve such conflicts is to use a product such as virtual machine ware (VMware) to create a virtual machine (VM) environment on each forensic workstation for the tool to execute. Because multiple independent VMs can run simultaneously on a single workstation, several tools or tool collections that otherwise would be incompatible are readily supported.
The other three choices are incorrect because they do not have the ability to handle conflicts from using multiple tools because they are examples of individual tools. Examples of forensic tools include universal subscriber identity module (USIM) tools, handset tools, and integrated toolkits. A forensic hash is used to maintain the integrity of data by computing a cryptographically strong, non-reversible value over the acquired data. Examples of non-forensic tools include port monitoring to capture protocol exchanges, infrared and Bluetooth monitoring, and phone manager to recover data. For non-forensic tools, hash values should be created manually using a tool, such as SHA-1sum or MD5 sum, and retained for integrity verification. Examples of hybrid forensic tools include port monitoring with monitoring of USIM tool exchanges.
47. Which of the following is not a part of active identification of infected hosts with a malware incident?
a. Sinkhole router
b. Packet sniffers
c. Custom network-based IPS or IDS signatures
d. Vulnerability assessment software
47. a. A sinkhole router is a part of forensic identification, which mitigates extraneous traffic from an ongoing attack. Sources of active identification include login script, custom network-based intrusion prevention system (IPS) or intrusion detection system (IDS) signatures, packet sniffers, vulnerability assessment software, host scans, and file scans.
