CompTIA Security+ Question B-35

A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident?

A. Eye Witness
B. Data Analysis of the hard drive
C. Chain of custody
D. Expert Witness

Answer: C

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about possible evidence tampering.

CompTIA Security+ Question B-22

Which of the following provides data the best fault tolerance at the LOWEST cost?

A. Load balancing
B. Clustering
C. Server virtualization
D. RAID 6

Answer: D

Explanation:
RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software thus representing the lowest cost option.

CompTIA Security+ Question A-53

Peter, an employee, is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following should be used to accomplish this task? (Select TWO).

A. Private hash
B. Recovery agent
C. Public key
D. Key escrow
E. CRL

Answer: B,D

Explanation:
B: If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.

D: If a key need to be recovered for legal purposes the key escrow can be used. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee’s private messages have been called into question.

CompTIA Security+ Question A-20

Establishing a method to erase or clear cluster tips is an example of securing which of the following?

A. Data in transit
B. Data at rest
C. Data in use
D. Data in motion

Answer: B

Explanation:
A computer hard disk is divided into small segments called clusters. A file stored on a hard disk usually spans several clusters but rarely fills the last cluster, which is called cluster tip. This cluster tip area may contain file data because the size of the file you are working with may grow or shrink and needs to be securely deleted. Data stored on the hard drive is called data at rest.

CompTIA Security+ Simulation 9

DRAG DROP
A forensic analyst is asked to respond to an ongoing network attack on a server. Place the items in the list below in the correct order in which the forensic analyst should preserve them.

Select and Place:

Correct Answer:


Section: Compliance and Operational Security

When dealing with multiple issues, address them in order of volatility (OOV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.

Order of volatility: Capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sybex, Indianapolis

CompTIA A+ Core 2 Question J-38

A user states they are hearing a clicking noise coming from the computer. There is a message on the screen saying no operating system found, and the computer then attempts to boot from PXE. Which of the following should the technician perform?

A. Remove the floppy disk
B. Replace the hard drive
C. Replace the NIC
D. Replace the DVD-Rom

Correct Answer: B

CompTIA A+ Core 2 Question J-22

A company has purchased new computers. The old computers will be donated to a local charity. Before the computers are picked up, the president of the company wants to make sure that the computers do not have confidential company information on them. Which of the following is the BEST method to accomplish this?

A. Run CHKDSK
B. Format the hard drive
C. Use a degaussing tool
D. Defragment the hard drive

Correct Answer: C