Udemy-Domain 7 Flashcards
a chain of custody form would record the following 4 things:
Who handled the evidence
What they did with it
Where they had it
When they had it
a hard drive has ___ going around (like grooves in a vinyl record) and ___ going out from the center like pie slices. Where these intersect is called a ___ and groups of adjacent ones are called ___
tracks; sectors; track sectors; clusters
the 4 types of disk-based forensic data are
allocated space
unallocated space
slack space
bad blocks/clusters/sectors
Network forensics can be of the first type where ___ and the second type where ___ which technically requires a search warrant or approval
we monitor traffic for anomalies;
data is reassembled from traffic
collecting network data for forensics can either be ___, where the traffic is stored for later analysis, or ___, where each packet is analyzed in real-time, and only some is stored
catch if you can (requires more storage);
stop, look and listen (requires more processing power)
a security ___ triggers warnings if an ___ happens
alert; event
a security ___ consists of multiple adverse events happening on a system or network
incident
the difference between a security incident and a security problem is that a problem ___
has an unknown cause and warrants more root cause analysis
a security ___ is a non-disruptive failure
inconvenience
a security ___ is urgent, an event with potential for loss of life or property
emergency
a ___ is an event that causes an entire facility to be unusable for 24 hours or longer
disaster
a ___ is an event that destroys a facility
catastrophe
a ___ port is configured to capture all the traffic on the network
SPAN
one advantage of HIDS over NIDS is that it can see the traffic ___
unencrypted
one disadvantage of HIDS over NIDS is that some attacks can ___
disable a HIDS
disabling ports on a network workstation should be done from ___
active directory
to ensure that ALL devices on a network are properly configured/hardened, use ___
OS images
change management is ___, but change control is ___
the entire project of the change; the parts where we control the change
one reason to exclude OS files from a backup is ___
to avoid backing up any rootkit programs
one difference between incremental and differential backups is that ___ backups do not clear the archive bit
differential
a copy backup is like a full backup, except ___
it doesn’t clear the archive bit
___ refers to anything computer-related, but ___ refers to anything online
IT security; cyber-security
a DRP has the 4 basic steps:
- Mitigation (reduce likelihood and impact)
- Preparation (Procedures, tools and training)
- Response
- Recovery (restore functionality/production)
in Disaster Recovery the Recovery team gets an alternate site up and running (failover), starting with the most critical systems. The Salvage team ___ starting with ___
restores the original infrastructure (failback); the least critical systems (to ensure stability)
