135k views
4 votes
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?

A. A timeline
B. A log viewer
C. Registry analysis
D. Timestamp validator

1 Answer

5 votes

Final answer:

Jeff should use a timeline as the forensic tool capability to map events found in logs and files to the initial event reported on October 5th, as it orders events chronologically and helps in identifying related security breaches or activities.

Step-by-step explanation:

When Jeff is investigating a system compromise and knows that the first event was reported on October 5th, the most suitable forensic tool capability he should use to map other events found in logs and files to this date is A. A timeline. Creating a timeline allows for the correlation of events across different systems and logs by placing them in chronological order. This would help Jeff visually identify any relevant activity before, on, and after October 5th, and pinpoint potential security breaches or unauthorized activities in relation to the known event.

A log viewer (option B) would be useful to view individual log files, but it may not be as efficient at correlating events across different sources. Registry analysis (option C) is helpful in examining Windows systems to find traces of executed programs or user activity, but is not necessarily focused on correlating events by dates and times. A timestamp validator (option D), while important to verify the integrity of timestamps, would not in itself allow mapping of events across a timeline.

User Siva Gnanam
by
8.0k points