Certified Ethical Hacker (CEH) — Question 2

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

Answer options

• A. The network devices are not all synchronized.
• B. Proper chain of custody was not observed while collecting the logs.
• C. The attacker altered or erased events from the logs.
• D. The security breach was a false positive.

Correct answer: A

Explanation

The correct answer is A because if the network devices are not synchronized, the timestamps on the logs will differ, leading to a mismatch in event sequences. Option B is incorrect as chain of custody issues would not directly affect the timing of events. Option C suggests tampering, which is less likely in this context, and option D implies no breach occurred, which does not explain the log discrepancies.