nerdexam
Exams312-50V13Questions#564
EC-CouncilEC-Council

312-50V13 · Question #564

312-50V13 Question #564: Real Exam Question with Answer & Explanation

The correct answer is A: The network devices are not all synchronized.. Time Synchronization Causes Log Correlation Failures When logs from multiple network devices show mismatched event sequences, the most likely culprit is that the devices lack synchronized clocks - meaning each device may be operating on a slightly different time, causing events t

Submitted by ravi_2018· Mar 6, 2026Introduction to Ethical Hacking

Question

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?

Options

  • AThe network devices are not all synchronized.
  • BProper chain of custody was not observed while collecting the logs.
  • CThe attacker altered or erased events from the logs.
  • DThe security breach was a false positive.

Explanation

Time Synchronization Causes Log Correlation Failures

When logs from multiple network devices show mismatched event sequences, the most likely culprit is that the devices lack synchronized clocks - meaning each device may be operating on a slightly different time, causing events that occurred in a specific order to appear scrambled when logs are compared side by side. This is why Network Time Protocol (NTP) is considered a security best practice, ensuring all devices share a common timestamp reference.

Why the distractors are wrong:

  • B (Chain of custody): A chain of custody failure would raise questions about evidence integrity and admissibility, not cause timestamp sequencing mismatches within the logs themselves.
  • C (Attacker altered logs): While possible, this is a less likely and more complex explanation than simple clock drift, which is an extremely common real-world problem - investigators follow the principle of most probable cause.
  • D (False positive): A false positive means no actual breach occurred, but the question is asking about a log correlation problem, not whether the breach happened at all.

🧠 Memory Tip: Think of it like comparing meeting notes taken by people in different time zones without adjusting - the events are real, but the times don't align. Always ask: "Are the clocks synced?" before assuming tampering.

Topics

#Log Analysis#Time Synchronization#Incident Response#Security Devices

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V13 PracticeBrowse All 312-50V13 Questions