Chain of custody | Exam Premium

CompTIA Security+ Question B-100

Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time.
Which of the following does this illustrate?

A. System image capture
B. Record time offset
C. Order of volatility
D. Chain of custody

Answer: D

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.

CompTIA Security+ Question B-35

A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident?

A. Eye Witness
B. Data Analysis of the hard drive
C. Chain of custody
D. Expert Witness

Answer: C

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about possible evidence tampering.

CompTIA Security+ Question A-100

A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment?

A. Chain of custody
B. Tracking man hours
C. Record time offset
D. Capture video traffic

Answer: C

Explanation:
It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.

CompTIA Security+ Question A-29

The use of social networking sites introduces the risk of:

A. Disclosure of proprietary information
B. Data classification issues
C. Data availability issues
D. Broken chain of custody

Answer: A

Explanation:
People and processes must be in place to prevent the unauthorized disclosure or proprietary information and sensitive information s these pose a security risk to companies. With social networking your company can be exposed to as many threats as the amount of users that make use of social networking and are not advised on security policy regarding the use of social networking.

CompTIA Security+ Simulation 11

A security administrator discovers that an attack has been completed against a node on the corporate network. All available logs were collected and stored.

You must review all network logs to discover the scope of the attack, check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network. The environment is a critical production environment; perform the LEAST disruptive actions on the network, while still performing the appropriate incident responses.

Instructions: The web server, database server, IDS, and User PC are clickable. Check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network. Not all actions may be used, and order is not important. If at anytime you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Correct Answer:

Database server was attacked; actions should be to capture network traffic and Chain of Custody.

Explanation:
(The database server logs shows the Audit Failure and Audit Success attempts)It is only logical that all the logs will be stored on the database server and the least disruption action on the network to take as a response to the incident would be to check the logs (since these are already collected and stored) and maintain a chain of custody of those logs.

IDS Server Log:

Web Server Log:

Database Server Log:

Users PC Log:

CompTIA Network+ Question C-47

Which of the following is a document that is used in cyber forensics that lists everywhere evidence has been?

A. Warrant
B. Legal document
C. Chain of custody
D. Forensic report
E. Documentation of the scene

Correct Answer: C

CompTIA Network+ Question C-31

Which of the following BEST describes the process of documenting everyone who has physical access or possession of evidence

A. Legal hold
B. Chain of custody
C. Secure copy protocol
D. Financial responsiblity

Correct Answer: B

CompTIA Network+ Question B-72

A network technician was tasked to respond to a compromised workstation. The technician documented the scene, took the machine offline, and left the PC under a cubicle overnight. Which of the following steps of incident handling has been incorrectly performed?

A. Document the scene
B. Forensics report
C. Evidence collection
D. Chain of custody

Correct Answer: D

Explanation:
To verify the integrity of data since a security incident occurred, you need to be able to show a chain of custody.
A chain of custody documents who has been in possession of the data (evidence) since a security breach occurred. A well-prepared organization will have process and procedures that are used when an incident occurs.
A plan should include first responders securing the area and then escalating to senior management and authorities when required by policy or law. The chain of custody also includes documentation of the scene, collection of evidence, and maintenance, e-discovery (which is the electronic aspect of identifying, collecting, and producing electronically stored information), transportation of data, forensics reporting, and a process to preserve all forms of evidence and data when litigation is expected. The preservation of the evidence, data, and details is referred to as legal hold.

CompTIA Network+ Question B-58

An organization is involved in a civil court action and needs to ensure email messages are retained. Which of the following describes the requirement to archive and retain email traffic and other correspondence?

A. Chain of custody
B. Legal hold
C. Divide and conquer
D. Persistent agents

Correct Answer: B

CompTIA A+ Question K-42

A user has been reported for storing prohibited material on a company owned PC. The accused user is notified and an investigation is launched. However, no evidence is found and it is believed that the user was able to delete all relevant evidence. Which of the following would prevent this from happening in the future?

A. Change documentation
B. Chain of Custody
C. Automatic notifications for complaints
D. Data preservation

Correct Answer: D