Digital Forensics & Log Data

Question 1

Digital Forensics

Answer 1

Digital forensics → process of identifying, collecting, preserving, analyzing, and reporting digital evidence in a way that maintains integrity and supports legal or investigative use.

Question 2

RFC 3227 Best Practices

Answer 2

Request for comments 3227 best practices → digital forensics guidelines that emphasize collecting volatile data first, minimizing system changes, documenting every action taken, preserving original evidence, and maintaining a clear chain of custody.

Question 3

Legal Hold

Answer 3

Legal hold → formal directive that requires organizations to preserve relevant data and suspend deletion or modification when litigation or investigation is anticipated.

Question 4

ESI

Answer 4

Electronically stored information (ESI) → digital data such as emails, documents, databases, logs, and backups that can be used as evidence in investigations or legal proceedings.

Question 5

Chain of Custody

Answer 5

Chain of custody → documented record that tracks who collected, handled, transferred, and stored evidence to prove it was not altered or tampered with.

Question 6

Data Acquisition

Answer 6

Data acquisition → forensic collection of data from sources such as disks, memory, firmware, operating system files, virtual machines, and snapshots while preserving evidence integrity.

Question 7

Data Forensics Reporting

Answer 7

Data forensics reporting → creation of clear, factual documentation that explains how evidence was collected, analyzed, and interpreted so findings can be understood and defended.

Question 8

Data Preservation

Answer 8

Data preservation → process of protecting evidence from alteration or loss by using write blockers, secure storage, hashing, and controlled access.

Question 9

E-discovery

Answer 9

Electronic discovery (e-discovery) → legal process of identifying, collecting, and producing electronically stored information for litigation or regulatory investigations.

Question 10

Firewall Logs

Answer 10

Firewall logs → records of allowed and blocked network traffic that help identify unauthorized access attempts, scanning activity, or policy violations.

Question 11

Application Logs

Answer 11

Application logs → records generated by software applications that track errors, user actions, and system events relevant to troubleshooting and security analysis.

Question 12

Endpoint Logs

Answer 12

Endpoint logs → records generated by endpoint devices such as laptops and servers that capture authentication attempts, system activity, and security events.

Question 13

OS-Specific Security Logs

Answer 13

Operating system-specific security logs → logs maintained by the operating system that record authentication events, privilege changes, and system-level security actions.

Question 14

IPS/IDS Logs

Answer 14

Intrusion prevention system and intrusion detection system logs → records of detected or blocked malicious activity that help identify attacks and validate security alerts.

Question 15

Network Logs

Answer 15

Network logs → records of network activity such as connections, flows, and traffic patterns used to detect anomalies and trace attacker movement.

Question 16

Metadata

Answer 16

Metadata → data about data that provides context such as creation time, modification history, file owner, or location, often critical in forensic investigations.

Question 17

Email Metadata/Header

Answer 17

Email metadata and headers → routing and transmission details within an email that reveal sender, recipient, mail servers used, timestamps, and potential spoofing indicators.