Читаем CISSP Practice полностью

87. When applying computer forensics to redundant array of independent disks (RAID) disk imaging, acquiring a complete disk image is important proof as evidence in a court of law. This is mostly accomplished through which of the following?

a. Ensuring accuracy

b. Ensuring completeness

c. Ensuring transparency

d. Using a hash algorithm

87. d. In the field of computer forensics and during the redundant array of independent disks (RAID) disk imaging process, two of the most critical properties are obtaining a complete disk image and getting an accurate disk image. One of the main methods to ensure either or both of these properties is through using a hash algorithm. A hash is a numerical code generated from a stream of data, considerably smaller than the actual data itself, and is referred to as a message digest. It is created by processing all of the data through a hashing algorithm, which generates a fixed length output. Here, transparency means that the data is widely accessible to non-proprietary tools.

88. Computer security incidents should not be prioritized according to:

a. Current effect of the incident

b. Criticality of the affected resources

c. First-come, first-served basis

d. Future effect of the incident

88. c. Computer security incidents should not be handled or prioritized on a first-come, first-served basis due to resource limitations. Incident handlers should consider not only the current negative technical effect of the incident, but also the likely future technical effect of the incident if it is not immediately contained. The criticality of a resource (e.g., firewalls and Web servers) is based on the data it contains or services it provides to users. The other three choices are the factors to consider during incident prioritization.

89. Which of the following indications is not associated with a malicious action such as a worm that spreads through a vulnerable service infecting a host?

a. No links to outside sources

b. Increased network usage

c. Programs start slowly and run slowly

d. System instability and crashes

89. a. There should not be any links to outside sources, and it is an example of possible indications of a malicious action, such as a user who receives a virus hoax message. The other three choices are examples of possible indications of a worm that spreads through a vulnerable service infecting a host.

90. Which of the following phases of a computer forensic process dealing with computer incidents most often uses a combination of automated tools and manual methods?

a. Collection

b. Examination

c. Analysis

d. Reporting

90. b. A computer forensic process dealing with computer incidents is composed of four phases: collection, examination, analysis, and reporting. The examination phase most often involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data.

The collection phase is mostly automated in identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following guidelines, policies, and procedures. The analysis phase is manual in analyzing the results of the examination phase, using legally justifiable methods and techniques. The reporting phase is manual in reporting the results of the analysis phase, which may include describing the actions performed and explaining how tools and procedures were selected.

91. Computer software is properly protected by trade secrets in addition to copyright laws in which of the following countries or regions of the world?

a. Brazil

b. Mexico

c. Western Europe

d. Argentina

91. c. Computer software is properly protected by trade secrets in addition to copyright in European Community member nations. Brazil has no specific laws, and Argentina may have some specific laws of trade secret protection. Mexico has laws protecting industrial secrets but not for trade secrets in computer software.

92. Which of the following logs have a secondary usage in analyzing logs for fraud?

a. Antimalware software logs