68. The chain of custody does not ask which of the following questions?
a. Who damaged the evidence?
b. Who collected the evidence?
c. Who stored the evidence?
d. Who controlled the evidence?
68. a. The chain of custody deals with who collected, stored, and controlled the evidence and does not ask who damaged the evidence. It looks at the positive side of the evidence. If the evidence is damaged, there is nothing to show in the court.
69. Software site licenses are best suited for:
a. Unique purchases
b. Fixed price license
c. Single purchase units
d. Small lots of software
69. b. Software site licenses are best suited for moderate to large software requirements where fixed price license or volume discounts can be expected. Discounts provide an obvious advantage. By obtaining discounts, an organization not only acquires more software for its investment but also improves its software management. Factors that expand the requirements past normal distribution/package practices are also prime candidates for site licenses. Examples of such factors are software and documentation copying and distribution, conversion, and training. Site licenses are not appropriate for software deployed in a unique situation, single purchase units, or small lots of software.
70. Which of the following statements about Cyberlaw is not true?
a. A person copying hypertext links from one website to another is liable for copyright infringement.
b. An act of copying of graphical elements from sites around the Web and copying them into a new page is illegal.
c. The icons are protected under copyright law.
d. There are no implications in using the Internet as a computer software distribution channel.
70. d. The Cyberlaw precludes commercial rental or loan of computer software without authorization of the copyright owner. It is true that a person constructing an Internet site needs to obtain permission to include a link to another’s home page or site. There may be copyrightable expressions in the structure, sequence, and organization of those links. A person copying those links into another website could well be liable for copyright infringement. Although it is quite easy to copy graphics from sites around the Web and copy them into a new page, it is also clear that in most cases such copying constitutes copyright infringement. Icons are part of graphics and are protected by copyright laws.
71. Which of the following is a primary source for forensic identification of infected hosts?
a. Spyware detection and removal utility software
b. Network device logs
c. Sinkhole routers
d. Network forensic tools
71. a. Spyware detection and removal utility software is a primary source along with antivirus software, content filtering, and host-based IPS software.
Network device logs, sinkhole routers, and network forensic tools are incorrect because they are examples of secondary sources. Network device logs show specific port number combinations and unusual protocols. A sinkhole router is a router within an organization that receives all traffic that has an unknown route (e.g., destination IP addresses on an unused subnet). A sinkhole router is usually configured to send information about received traffic to a log server and an IDS; a packet sniffer is also used sometimes to record the suspicious activity. Network forensic tools include packet sniffers and protocol analyzers.
72. Which of the following is not an example of security software logs?
a. Intrusion detection system logs
b. Authentication server logs
c. E-mail server logs
d. Honeypot logs
72. c. E-mail logs are an example of application logs. The other three logs are examples of security software logs.
73. Logs can be useful for which of the following reasons?
1. To establish baselines
2. To perform forensic analysis
3. To support internal investigations
4. To identify operational trends
a. 1 only
b. 3 only
c. 4 only
d. 1, 2, 3, and 4
73. d. Logs can be useful for establishing baselines, performing auditing and forensic analysis, supporting investigations, and identifying operational trends and long-term problems.
74. Network time protocol (NTP) servers are used to keep log sources’ clocks consistent with each other in which of the following log-management infrastructure functions?
a. Log filtering
b. Log aggregation
c. Log normalization
d. Log correlation
