In computer forensics, which of the following is the process that allows bit-for-bit copy of a data to avoid damage of original data or information when multiple analysis may be performed?
Correct Answer: A
Section: Protection of Information Assets Explanation: Imaging is the process that allows one to obtain a bit-for bit copy of a data to avoid damage to the original data or information when multiple analysis may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector. For CISA exam you should know below mentioned key elements of computer forensics during audit planning. Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means. Data Acquisition - All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker. Imaging -The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector. Extraction - This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information. Interrogation -Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data. Investigation/ Normalization -This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool. Reporting- The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis. The report should achieve the following goals Accurately describes the details of an incident. Be understandable to decision makers. Be able to withstand a barrage of legal security Be unambiguous and not open to misinterpretation. Be easily referenced Contains all information required to explain conclusions reached Offer valid conclusions, opinions or recommendations when needed Be created in timely manner. The following were incorrect answers: Extraction - This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. Data Protection -To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means. Data Acquisition - All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using device known as write blocker. Reference: CISA review manual 2014 Page number367 and 368
Question 7
Which of the following provides the GREATEST assurance of message authenticity?
Correct Answer: B
Explanation/Reference: Explanation: Encrypting the prehash code using the sender's private key provides assurance of the authenticity of the message. Mathematically deriving the prehash code provides integrity to the message. Encrypting the prehash code and the message using the secret key provides confidentiality.
Question 8
Which of the following should be of MOST concern to an IS auditor evaluating a forensics program?
Correct Answer: C
Question 9
Which of the following would BEST help in classifying an organization s data?
Correct Answer: B
Question 10
Physical access controls are usually implemented based on which of the following means (choose all that apply):
Correct Answer: A,B
Explanation/Reference: Explanation: In physical security, access control refers to the practice of restricting entrance to authorized persons. Human means of enforcement include guard, bouncer, receptionist ... etc. Mechanical means may include locks and keys.
