CISA Certified Information Systems Auditor – Question2200

In computer forensic which of the following describe the process that converts the information extracted into a format that can be understood by investigator?

A.
Investigation
B. Interrogation
C. Reporting
D. Extraction

Correct Answer: A

Explanation:

Explanation:
Investigation is the process that converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.
For CISA exam you should know below mentioned key elements of computer forensics during audit planning.
Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.
Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker.
Imaging -The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.
Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made.
The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.
Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.
Reporting- The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals
Accurately describes the details of an incident.
Be understandable to decision makers.
Be able to withstand a barrage of legal security
Be unambiguous and not open to misinterpretation.
Be easily referenced
Contains all information required to explain conclusions reached
Offer valid conclusions, opinions or recommendations when needed
Be created in timely manner.
The following were incorrect answers:
Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
Extraction – This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability.
Reporting -The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.
Reference:
CISA review manual 2014 Page number 367 and 368