ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v11 All Questions

View all questions & answers for the 312-50v11 exam
Go to Exam

Exam 312-50v11 topic 1 question 17 discussion

Actual exam question from ECCouncil's 312-50v11
Question #: 17
Topic #: 1
[All 312-50v11 Questions]

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

  • A. The network devices are not all synchronized.
  • B. Proper chain of custody was not observed while collecting the logs.
  • C. The attacker altered or erased events from the logs.
  • D. The security breach was a false positive.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by fishPSU21 at March 5, 2021, 4:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Cytrail
Highly Voted 2 years, 8 months ago
The answer is A, no attack by an attacker was mentioned in the question. The question bordered on event logs only. Let's not be faster than the examiners...
upvoted 15 times
MAAR1
9 months, 2 weeks ago
it says this is an incident investigation. so there should be an attack. i guess the answer is C
upvoted 1 times
awesomenessforso
6 months, 2 weeks ago
The question states that the logs are in the wrong sequence, key word sequence. If the answer was C the logs would have been "missing"
upvoted 1 times
...
...
...
callmetodd
Highly Voted 2 years, 2 months ago
the big keyword here is "many" of the logged events do not match up. If it was NTP, then all of the logs wouldn't match up. I'd suggest C as the correct answer. however, there is such a thing as the 'eccouncil box' and a "theme" that goes throughout the exam and course. which may suggest that A is the best "eccouncil" answer ;-)
upvoted 10 times
Mr_Gray
2 years, 2 months ago
this is a great call out. excellent point.
upvoted 2 times
...
...
asgasg
Most Recent 5 months, 3 weeks ago
Selected Answer: A
An attacker is expected to clear the logs. But this time, it is mismatch, not the lack of logs.
upvoted 1 times
...
vitusisya
6 months ago
Selected Answer: A
The time is not properly synchronized
upvoted 1 times
...
Daniel8660
1 year, 1 month ago
Selected Answer: A
Unsynchronized System Clocks fUnsynchronized System Clocks Timestamp inaccuracy constitutes the network administrator unable to analyze the log files for any malicious activity accurately. (P.2880/2864)
upvoted 2 times
...
StormCloak4Ever
1 year, 5 months ago
Selected Answer: A
The best answer is A.
upvoted 1 times
...
EngnSu
1 year, 6 months ago
p.2874 Unsynchronized System Clocks can affect the working of automated tasks; The network administrator cannot accurately analyze the log files for any malicious activity, if the timestamps are mismatched
upvoted 3 times
...
K3nz0420
1 year, 10 months ago
A is the ans
upvoted 1 times
...
lawbut2
2 years ago
A is best answer. p2864 Unsynchronized System Clocks
upvoted 1 times
...
Snipa_x
2 years, 3 months ago
Answer will be A. If NTP is not utilized on all the logging servers then the event's will not correlate.
upvoted 1 times
...
smurphuk
2 years, 3 months ago
The CEH course taught me that "an attacker may erase logs to avoid being caught". I'll be damned if the answer is not C?!? Time isnt even mentioned in the question.
upvoted 4 times
Mr_Gray
2 years, 2 months ago
the mention of synchronization can indicate the NTP is not set correctly. You do have validity to your point as if an attacker erased logs then they wouldn't match up later. This one merits additional research.
upvoted 1 times
...
GTofic
2 years ago
If the attacker erased the log there will be no correlation of the information. Answer is A, its about NTP (time) not synchronized
upvoted 1 times
...
Re_My
2 years ago
I agreed, C is the rigth Answer acording to Infosec course. An Attacker may delete logs to erase trace.
upvoted 2 times
...
...
selamkelamlar
2 years, 4 months ago
i go with A.
upvoted 1 times
...
cerzocuspi
2 years, 7 months ago
A is correct. Time sync
upvoted 3 times
...
OleMadhatter
2 years, 7 months ago
(A) time synchronization is off.
upvoted 2 times
...
americaman80
2 years, 8 months ago
Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
upvoted 4 times
...
sam422
2 years, 8 months ago
If the assumption is Time Sync, then Answer A makes sense, however, it appears devices sync type, which makes answer C
upvoted 1 times
dolumo
2 years, 6 months ago
"the sequence of many of the logged events do not match up" C would have been correct if some events were not on some logs
upvoted 3 times
...
...
sam422
2 years, 8 months ago
I go with C, an attacker can change time stamps to cover tracks
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel