Exam 312-50 topic 8 question 84 discussion

Actual exam question from ECCouncil's 312-50

Question #: 84
Topic #: 8

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

A. The network devices are not all synchronized.
B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.
D. The security breach was a false positive.

Show Suggested Answer

Suggested Answer: A 🗳️
Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
References: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5619315&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%
3D5619315

by Mikemh at May 20, 2019, 6:01 p.m.

Comments

Submit Cancel

Dc888

6 months, 1 week ago

A. The question states the IR has the events. If the attacker had the means to alter the timestamps, why not delete them entirely. Devices were not synced, causing the discrepancy

upvoted 2 times

...