Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Eccouncil Discussions

Exam 312-50v11 topic 1 question 17 discussion

Actual exam question from ECCouncil's 312-50v11
Question #: 17
Topic #: 1
[All 312-50v11 Questions]

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

  • A. The network devices are not all synchronized.
  • B. Proper chain of custody was not observed while collecting the logs.
  • C. The attacker altered or erased events from the logs.
  • D. The security breach was a false positive.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by fishPSU21 at March 5, 2021, 4:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Cytrail
Highly Voted 3 years ago
The answer is A, no attack by an attacker was mentioned in the question. The question bordered on event logs only. Let's not be faster than the examiners...
upvoted 15 times
MAAR1
1 year, 1 month ago
it says this is an incident investigation. so there should be an attack. i guess the answer is C
upvoted 1 times
awesomenessforso
11 months ago
The question states that the logs are in the wrong sequence, key word sequence. If the answer was C the logs would have been "missing"
upvoted 1 times
...
...
...
callmetodd
Highly Voted 2 years, 7 months ago
the big keyword here is "many" of the logged events do not match up. If it was NTP, then all of the logs wouldn't match up. I'd suggest C as the correct answer. however, there is such a thing as the 'eccouncil box' and a "theme" that goes throughout the exam and course. which may suggest that A is the best "eccouncil" answer ;-)
upvoted 10 times
Mr_Gray
2 years, 6 months ago
this is a great call out. excellent point.
upvoted 2 times
...
...
vitusisya
Most Recent 10 months, 2 weeks ago
Selected Answer: A
The time is not properly synchronized
upvoted 1 times
...
Daniel8660
1 year, 6 months ago
Selected Answer: A
Unsynchronized System Clocks fUnsynchronized System Clocks Timestamp inaccuracy constitutes the network administrator unable to analyze the log files for any malicious activity accurately. (P.2880/2864)
upvoted 2 times
...
StormCloak4Ever
1 year, 9 months ago
Selected Answer: A
The best answer is A.
upvoted 1 times
...
EngnSu
1 year, 10 months ago
p.2874 Unsynchronized System Clocks can affect the working of automated tasks; The network administrator cannot accurately analyze the log files for any malicious activity, if the timestamps are mismatched
upvoted 3 times
...
K3nz0420
2 years, 2 months ago
A is the ans
upvoted 1 times
...
lawbut2
2 years, 5 months ago
A is best answer. p2864 Unsynchronized System Clocks
upvoted 1 times
...
Snipa_x
2 years, 7 months ago
Answer will be A. If NTP is not utilized on all the logging servers then the event's will not correlate.
upvoted 1 times
...
smurphuk
2 years, 7 months ago
The CEH course taught me that "an attacker may erase logs to avoid being caught". I'll be damned if the answer is not C?!? Time isnt even mentioned in the question.
upvoted 4 times
Mr_Gray
2 years, 7 months ago
the mention of synchronization can indicate the NTP is not set correctly. You do have validity to your point as if an attacker erased logs then they wouldn't match up later. This one merits additional research.
upvoted 1 times
...
GTofic
2 years, 4 months ago
If the attacker erased the log there will be no correlation of the information. Answer is A, its about NTP (time) not synchronized
upvoted 1 times
...
Re_My
2 years, 4 months ago
I agreed, C is the rigth Answer acording to Infosec course. An Attacker may delete logs to erase trace.
upvoted 2 times
...
...
selamkelamlar
2 years, 8 months ago
i go with A.
upvoted 1 times
...
cerzocuspi
3 years ago
A is correct. Time sync
upvoted 3 times
...
OleMadhatter
3 years ago
(A) time synchronization is off.
upvoted 2 times
...
americaman80
3 years ago
Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
upvoted 4 times
...
sam422
3 years ago
If the assumption is Time Sync, then Answer A makes sense, however, it appears devices sync type, which makes answer C
upvoted 1 times
dolumo
2 years, 11 months ago
"the sequence of many of the logged events do not match up" C would have been correct if some events were not on some logs
upvoted 3 times
...
...
sam422
3 years ago
I go with C, an attacker can change time stamps to cover tracks
upvoted 2 times
...
fishPSU21
3 years, 1 month ago
if the company experienced a breach the correct answer should be C since the attacker most likely covered up their tracks
upvoted 1 times
AndreasH
3 years, 1 month ago
Wouldn't the attacker rather delete events completely from the logs instead of just changing the timeline? As I read the question the events are there, but the timeline is messed up (between devices), indicating a time sync problem.
upvoted 6 times
fishPSU21
3 years, 1 month ago
I can see that standpoint and get behind it.
upvoted 1 times
...
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel