Systems Security Certified Practitioner – SSCP – Question0441
In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process? A. Using a write blocker B. Made a full-disk image C. Created a message digest for log files D. Displayed the contents of a folder
Correct Answer: D
Explanation:
Displaying the directory contents of a folder can alter the last access time on each listed file.
Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing to its hard drives.
Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fragments.
Created a message digest for log files is wrong because creating a message digest for log files. A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g. changes to the content of a log file) Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS
References: AIO 3rd Edition, page 783-784 NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20
Please disable your adblocker or whitelist this site!