Page 835 - StudyBook.pdf
P. 835
Self Test Appendix • Appendix 819
9. An investigator arrives at a site where all of the computers involved in the incident are still run-
ning.The first responder has locked the room containing these computers, but has not per-
formed any additional tasks.Which of the following tasks should the investigator perform?
A. Tag the computers as evidence
B. Conduct a search of the crime scene, and document and photograph what is displayed on
the monitors
C. Package the computers so that they are padded from jostling that could cause damage
D. Shut down the computers involved in the incident
Answer B. The investigator should document and photograph what is displayed on the moni-
tors, because the first responder hasn’t done so.The investigator should also conduct a search of
the crime scene to identify evidence and determine whether the scope of the crime scene is
larger than initially identified.
Answers A and C are incorrect, because these are the responsibility of the crime scene techni-
cian.Answer D is incorrect, because the computers should be left running until the crime
scene technician has acquired evidence from the machines.
10. You are part of an Incident Response Team investigating a hacking attempt on a server.You
have been asked to gather and document volatile evidence from the computer.Which of the
following would qualify as volatile evidence?
A. Any data on the computer’s hard disk that may be modified.
B. Fingerprints, fibers, and other traditional forensic evidence.
C. Data stored in the computer’s memory
D. Any evidence stored on floppy or other removable disk
Answer C. Data stored in the computer’s memory.Volatile evidence is data stored in memory,
which could be lost if the computer was shut down or lost power.
Answer A is incorrect, because data on the hard disk is digital evidence. If the system were shut
down, the evidence would still be retained on the hard disk, so it isn’t volatile.Answer B is
incorrect, because members of the Incident Response Team wouldn’t gather fingerprints, fibers,
and other traditional forensic evidence.This evidence could still be gathered from the area after
the volatile evidence was obtained and documented. However, because fingerprint evidence
may be fragile and subject to destruction, Incident Response Team members should be careful
about touching surfaces where prints might be located.Answer D is incorrect, because evidence
stored on removable disks is non-volatile evidence that will not be affected by computer shut-
down.
11. You are assessing risks and determining which policies to protect assets will be created first.
Another member of the IT staff has provided you with a list of assets, which have importance
weighted on a scale of 1 to 10. Internet connectivity has an importance of 8, data has an
importance of 9, personnel have an importance of 7, and software has an importance of 5.
Based on these weights, what is the order in which you will generate new policies?
www.syngress.com
