Chapter 4
Domain 4.0: Incident Response

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

4.1 Explain the importance of the incident response process.
- Communication plan
- Response coordination with relevant entities
- Factors contributing to data criticality
4.2 Given a scenario, apply the appropriate incident response procedure.
- Preparation
- Detection and analysis
- Containment
- Eradication and recovery
- Post-incident activities
4.3 Given an incident, analyze potential indicators of compromise.
- Network-related
- Host-related
- Application-related
4.4 Given a scenario, utilize basic digital forensics techniques.
- Network
- Endpoint
- Mobile
- Cloud
- Virtualization
- Legal hold
- Procedures
- Hashing
- Carving
- Data acquisition

If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them?
1. File size and file creation date
2. MD5 hash
3. Private key and cryptographic hash
4. Public key and cryptographic hash

Jeff discovers multiple JPEG photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact?

GPS location
Camera type
Number of copies made
Correct date/timestamp

Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system?

Both /etc/passwd and /etc/shadow
/etc/shadow
/etc/passwd
Chris cannot recover passwords; only hashes are stored.

Charles needs to review the permissions set on a directory structure on a Window system he is investigating to determine whether the system contains unauthorized privileges. Which Sysinternals tool will provide him with this functionality?

DiskView
AccessEnum
du
AccessChk

John has designed his network as shown here and places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called?

Schematic illustration of a type of Guest network segment.

Proactive network segmentation
Isolation
Quarantine
Removal

The organization that Jamal works for classifies security related events using NIST's standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business travelers' laptop?

An event
An adverse event
A security incident
A policy violation

Mei is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first?

Authorized MAC
Authorized SSID
Authorized channel
Authorized vendor

Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in?

Postincident activity
Detection and analysis
Preparation
Containment, eradication, and recovery

The company that Brian works for processes credit cards and is required to be compliant with PCI DSS. If Brian's company experiences a breach of card data, what type of disclosure will they be required to provide?

Notification to local law enforcement
Notification to their acquiring bank
Notification to federal law enforcement
Notification to Visa and MasterCard

Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system?

chbkup
getfacl
aclman
There is not a common Linux permission backup tool.

While working to restore systems to their original configuration after a long-term APT compromise, Manish has three options:

He can restore from a backup and then update patches on the system.
He can rebuild and patch the system using original installation media and application software using his organization's build documentation.
He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems.

Which option should Manish choose in this scenario?

Option A
Option B
Option C
None of the above. Manish should hire a third party to assess the systems before proceeding.

Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following methods is not a possible means of unlocking the volume?

Change the FileVault key using a trusted user account.
Retrieve the key from memory while the volume is mounted.
Acquire the recovery key.
Extract the keys from iCloud.

Susan discovers the following log entries that occurred within seconds of each other in her Squert (a Sguil web interface) console. What have her network sensors most likely detected?

Snapshot of log entries that occurred within seconds.

A failed database connection from a server
A denial-of-service attack
A port scan
A misconfigured log source

Frank wants to log the creation of user accounts on a Windows workstation. What tool should he use to enable this logging?

secpol.msc
auditpol.msc
regedit
Frank does not need to make a change; this is a default setting.

If Suki wants to purge a drive, which of the following options will accomplish her goal?

Cryptographic erase
Reformat
Overwrite
Repartition

Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network?

Persistence of the beaconing
Beacon protocol
Beaconing interval
Removal of known traffic

While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports?

Different patch levels were used during the scans.
They are scanning through a load balancer.
There is a firewall between the remote network and the server.
Scott or Joanna ran the vulnerability scan with different settings.

As part of his organization's cooperation in a large criminal case, Adam's forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam's team take prior to sending a drive containing the forensic image?

Encode in EO1 format and provide a hash of the original file on the drive.
Encode in FTK format and provide a hash of the new file on the drive.
Encrypt the RAW file and transfer a hash and key under separate cover.
Decrypt the RAW file and transfer a hash under separate cover.

Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this?

Set the “read-only” jumper on the drive.
Use a write blocker.
Use a read blocker.
Use a forensic software package.

What type of forensic investigation–related form is shown here?

Snapshot of a type of forensic investigation-related form.

Chain of custody
Report of examination
Forensic discovery log
Policy custody release

Which one of the following file manipulation commands is not used to display the contents of a file?

head
tail
chmod
cat

Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?

SNMP
Portmon
Packet sniffing
NetFlow

James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system?

Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark or tcpdump.
Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic.
Review the ARP cache for outbound traffic.
Review the Windows Firewall log for traffic logs.

Fred is attempting to determine whether a user account is accessing other systems on his network and uses lsof to determine what files the user account has open. What information should he identify when faced with the following lsof output?

The user account demo is connected from remote.host.com to a local system.

The user demo has replaced the /bash executable with one they control.

The user demo has an outbound connection to remote.host.com.

The user demo has an inbound SSH connection and has replaced the Bash binary.
After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan?
1. Update system documentation.
2. Conduct a lessons learned session.
3. Review patching status and vulnerability scans.
4. Engage third-party consultants.
The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information?
1. A discovery scan using a port scanner
2. Router and switch-based MAC address reporting
3. A physical survey
4. Reviewing a central endpoint administration tool
While investigating a system error, Lauren runs the df command on a Linux box that she is the administrator for. What problem and likely cause should she identify based on this listing?
```
        # df -h /var/
        Filesystem           Size  Used    Avail Use% Mounted on
        /dev/sda1            40G   11.2G   28.8  28%  /
        /dev/sda2            3.9G  3.9G    0     100% /var
```
1. The var partition is full and needs to be wiped.
2. Slack space has filled up and needs to be purged.
3. The var partition is full, and logs should be checked.
4. The system is operating normally and will fix the problem after a reboot.
In order, which set of Linux permissions are least permissive to most permissive?
1. 777, 444, 111
2. 544, 444, 545
3. 711, 717, 117
4. 111, 734, 747
As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?
1. Attrition
2. Impersonation
3. Improper usage
4. Web
Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in?
1. Single crack mode
2. Wordlist mode
3. Incremental mode
4. External mode
During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?
1. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in.
2. Copy the virtual disk files and then use a memory capture tool.
3. Escalate to management to get permission to suspend the system to allow a true forensic copy.
4. Use a tool like the Volatility Framework to capture the live machine completely.
Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this?
1. To ensure chain of custody
2. To ensure correct reassembly
3. To allow for easier documentation of acquisition
4. To tamper-proof the system
Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool?
1. Text messaging
2. A Jabber server with TLS enabled
3. Email with TLS enabled
4. A messaging application that uses the Signal protocol
While reviewing her Nagios logs, Selah discovers the error message shown here. What should she do about this error?
1. Check for evidence of a port scan.
2. Review the Apache error log.
3. Reboot the server to restore the service.
4. Restart the Apache service.
Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process?
1. Clear, validate, and document.
2. Purge the drives.
3. Purge, validate, and document.
4. The drives must be destroyed to ensure no data loss.
Selah is preparing to collect a forensic image for a Macintosh computer running the Mojave operating system. What hard drive format is she most likely to encounter?
1. FAT32
2. MacFAT
3. APFS
4. HFS+
During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation?
1. A wiped C: drive
2. Antiforensic activities
3. All slack space cleared
4. Temporary files and Internet history wiped
Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called?
1. Slacking
2. Data carving
3. Disk recovery
4. Header manipulation
Latisha is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT?
1. Her lead IT support staff technician
2. Her organization's legal counsel
3. A third-party IR team lead
4. She should select herself.
During her forensic analysis of a Windows system, Cynthia accesses the registry and checks \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin (as seen in the image below). What domain was the system connected to, and what was the username that would appear at login?
1. Admin, administrator
2. No domain, admin
3. Legal, admin
4. Corporate, no default username
Latisha wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems?
1. The NX bit and ASLR
2. StackAntismash and DEP
3. Position-independent variables and ASLR
4. DEP and the position-independent variables
Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently?
1. Check the System log.
2. Check the user profile creation date.
3. Check the Security log.
4. Query the registry for the user ID creation date.
Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred?
1. file
2. stat
3. strings
4. grep
Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes?
1. Success
2. Fail
3. Full control
4. All
Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system?
1. apt-get -u upgrade, /var/log/apt
2. rpm -i upgrade, /var/log/rpm
3. upgrade -l, /var/log/upgrades
4. apt-get install -u; Ubuntu Linux does not provide a history of updates.
Adam wants to quickly crack passwords from a Windows system. Which of the following tools will provide the fastest results in most circumstances?
1. John the Ripper
2. Cain and Abel
3. Ophcrack
4. Hashcat
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed?
1. Logical
2. Bit-by-bit
3. Sparse
4. None of the above
Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system's performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail?
1. Resource Monitor
2. Task Manager
3. iperf
4. Perfmon
During a forensic investigation, Kwame records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Kwame is using as he labels evidence with details of who acquired and validated it?
1. Direct evidence
2. Circumstantial evidence
3. Incident logging
4. Chain of custody
Roger's
monitoring system provides Windows memory utilization reporting. Use the chart shown here to determine what actions Roger should take based on his monitoring.
1. The memory usage is stable and can be left as it is.
2. The memory usage is high and must be addressed.
3. Roger should enable automatic memory management.
4. There is not enough information to make a decision.
NIST defines five major types of threat information types in NIST SP 800-150, “Guide to Cyber Threat Information Sharing.”
1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred
2. Tactics, techniques, and procedures that describe the behavior of an actor
3. Security alerts like advisories and bulletins
4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used
5. Tool configurations that support collection, exchange, analysis, and use of threat information
Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats?
1. 1, 2, and 5
2. 1, 3, and 5
3. 2, 4, and 5
4. 1, 2, and 4
Vlad wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about?
1. The registry
2. The user profile directory
3. The wireless adapter cache
4. Wireless network lists are not stored after use.
Saanvi wants to prevent buffer overflows from succeeding against his organization's web applications. What technique is best suited to preventing this type of attack from succeeding?
1. User input canonicalization
2. User input size checking
3. Format string validation
4. Buffer overwriting
Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?
1. Suspend the machine and copy the contents of the directory it resides in.
2. Perform a live image of the machine.
3. Suspend the machine and make a forensic copy of the drive it resides on.
4. Turn the virtual machine off and make a forensic copy of it.
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in?
1. SQLite
2. Plain text
3. Base64 encoded text
4. NoSQL
While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set (see image below). What issue is he most likely encountering?
1. The files need to be compressed.
2. The destination drive is formatted FAT32.
3. The destination drive is formatted NTFS.
4. The files are encrypted.
Christina’s
organization recently suffered an incident where an attacker connected to their wireless network. In response, she is configuring ongoing monitoring for rogue devices on her monitoring system and wants to select an appropriate reset condition for rogue MAC address alerts. Which of the options shown here is best suited to handling rogue devices if she wants to avoid creating additional work for her team?
1. Reset when no longer true.
2. Reset after a time period.
3. No reset condition; trigger each time the condition is met.
4. No reset action; manually remove the alert from the active alerts list.
Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file?
1. md5sum
2. certutil
3. sha1sum
4. hashcheck
Which of the following is not an important part of the incident response communication process?
1. Limiting communication to trusted parties
2. Disclosure based on public feedback
3. Using a secure method of communication
4. Preventing accidental release of incident-related information
Deepa is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the “outside” interface of her border router. What can Deepa presume has occurred?
1. The network link has failed.
2. A DDoS is in progress.
3. An internal system is transferring a large volume of data.
4. The network link has been restored.
Which of the following commands is not useful for determining the list of network interfaces on a Linux system?
1. ifconfig
2. netstat -i
3. ip link show
4. intf -q
What Windows memory protection methodology is shown here?
1. DEP
2. ASLR
3. StackProtect
4. MemShuffle
Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence?
1. Clear
2. Purge
3. Destroy
4. None of the above
Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device?
1. Antivirus definitions
2. File reputation
3. IP reputation
4. Static file analysis
During an incident response process, Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing?
1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Postincident activity
A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type?
1. Flow logs with heuristic analysis
2. SNMP monitoring with heuristic analysis
3. Flow logs with signature-based detection
4. SNMP monitoring with signature-based detection
Mei's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model?
1. Regular
2. Supplemented
3. Extended
4. Not recoverable
Which of the following mobile device forensic techniques is not a valid method of isolation during forensic examination?
1. Use a forensic SIM.
2. Buy and use a forensic isolation appliance.
3. Place the device in an antistatic bag.
4. Put the device in airplane mode.
Rick wants to monitor permissions and ownership changes of critical files on the Red Hat Linux system he is responsible for. What Linux tool can he use to do this?
1. watchdog
2. auditctl
3. dirwatch
4. monitord
Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded?
1. Network flows
2. SMB logs
3. Browser cache
4. Drive analysis
Jose is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker's efforts as they continue their attack. If Jose wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use?
1. Removal
2. Isolation
3. Segmentation
4. Detection
When Abdul arrived at work this morning, he found an email in his inbox that read, “Your systems are weak; we will own your network by the end of the week.” How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs?
1. An indicator
2. A threat
3. A risk
4. A precursor
During an incident response process, Cynthia conducts a lessons learned review. What phase of the incident response process is she in?
1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Postincident recovery
As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them?
1. Segmentation
2. Patching
3. Using threat intelligence
4. Whitelisting
As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?
1. An incident
2. An event
3. An adverse event
4. A security incident
Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times?
1. Cell phone GPS logs
2. Photograph metadata
3. Cell phone tower logs
4. Microsoft Office document metadata
Kai has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step?
1. Resample to validate her testing.
2. Destroy the drives.
3. Create documentation.
4. She is done and can send the drives on for disposition.
In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents?
1. Outsource to a third-party SOC
2. Create an internal SOC
3. Hire an internal incident response team
4. Outsource to an incident response provider
The Stuxnet attack relied on engineers who transported malware with them, crossing the air gap between networks. What type of threat is most likely to cross an air-gapped network?
1. Email
2. Web
3. Removable media
4. Attrition
While reviewing his network for rogue devices, Dan notes that a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building for three days. What information can this provide Dan that may be helpful if he conducts a physical survey of the office?
1. The operating system of the device
2. The user of the system
3. The vendor who built the system
4. The type of device that is connected
Bohai wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective?
1. Purge, clear, destroy
2. Eliminate, eradicate, destroy
3. Clear, purge, destroy
4. Eradicate, eliminate, destroy
Degaussing is an example of what form of media sanitization?
1. Clearing
2. Purging
3. Destruction
4. It is not a form of media sanitization.

While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here:

        C:\WINDOWS\system32>vssadmin list Shadowstorage
        vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
        (C) Copyright 2001-2013 Microsoft Corp.
        Shadow Copy Storage association
           For volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}\
           Shadow Copy Storage volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e6963}\
           Used Shadow Copy Storage space: 25.6 GB (2%)
           Allocated Shadow Copy Storage space: 26.0 GB (2%)
           Maximum Shadow Copy Storage space: 89.4 GB (10%)

What purpose does this storage serve, and can he safely delete it?

It provides a block-level snapshot and can be safely deleted.
It provides secure hidden storage and can be safely deleted.
It provides secure hidden storage and cannot be safely deleted.
It provides a block-level snapshot and cannot be safely deleted.

Near the end of a typical business day, Suki is notified that her organization's email servers have been blacklisted because of email that appears to originate from her domain. What information does she need to start investigating the source of the spam emails?
1. Firewall logs showing SMTP connections
2. The SMTP audit log from her email server
3. The full headers of one of the spam messages
4. Network flows for her network
Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera?
1. RAW
2. FAT16
3. FAT32
4. APFS
While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent over 20GB. What problem has Bohai encountered?
1. A rootkit is concealing traffic from the Linux kernel.
2. Flow logs show traffic that does not reach the system.
3. ifconfig resets traffic counters at 4 GB.
4. ifconfig only samples outbound traffic and will not provide accurate information.
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?
1. Power them down, take pictures of how each is connected, and log each system in as evidence.
2. Take photos of each system, power them down, and attach a tamper-evident seal to each PC.
3. Collect live forensic information, take photos of each system, and power them down.
4. Collect a static drive image, validate the hash of the image, and securely transport each system.
In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called?
1. Criminal forensics
2. E-discovery
3. Cyber production
4. Civil tort
During their organization's incident response preparation, Manish and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Manish and Linda classify this information?
1. PII
2. Intellectual property
3. PHI
4. PCI DSS
As Mika studies her company's computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. What information would she record on that form if she was conducting a forensic investigation?
1. The list of individuals who made contact with files leading to the investigation
2. The list of former owners or operators of the PC involved in the investigation
3. All individuals who work with evidence in the investigation
4. The police officers who take possession of the evidence
Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal?
1. An authenticated vulnerability scan from a trusted internal network
2. An unauthenticated vulnerability scan from a trusted internal network
3. An authenticated scan from an untrusted external network
4. An unauthenticated scan from an untrusted external network
What is the primary role of management in the incident response process?
1. Leading the CSIRT
2. Acting as the primary interface with law enforcement
3. Providing authority and resources
4. Assessing impact on stakeholders
While reviewing his OSSEC SIEM logs, Chris notices the following entries. What should his next action be if he wants to quickly identify the new user's creation date and time?
1. Check the user.log for a new user.
2. Check syslog for a new user.
3. Check /etc/passwd for a new user.
4. Check auth.log for a new user.
Jessica wants to track the changes made to the registry and filesystem while running a suspect executable on a Windows system. Which Sysinternals tool will allow her to do this?
1. App Monitor
2. Resource Tracker
3. Process Monitor
4. There is no Sysinternals tool with this capability.
Max wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization's CSIRT. Which of the following is not a commonly recommended best practice based on NIST's guidelines?
1. Profile networks and systems to measure the characteristics of expected activity.
2. Perform event correlation to combine information from multiple sources.
3. Maintain backups of every system and device.
4. Capture network traffic as soon as an incident is suspected.
NIST describes four major phases in the incident response cycle. Which of the following is not one of the four?
1. Containment, eradication, and recovery
2. Notification and communication
3. Detection and analysis
4. Preparation
Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives the following error. What access method is required to access the page file?
1. Run Windows Explorer as an administrator and repeat the copy.
2. Open the file using fmem.
3. Run cmd.exe as an administrator and repeat the copy.
4. Shut the system down, remove the drive, and copy it from another system.
Stefan wants to prevent evil twin attacks from working on his wireless network. Which of the following is not a useful method for detecting evil twins?
1. Check for BSSID.
2. Check the SSID.
3. Check the attributes (channel, cipher, authentication method).
4. Check for tagged parameters like the organizational unique identifier.
Where is slack space found in the following Windows partition map?
1. The System Reserved partition
2. The System Reserved and Unallocated partitions
3. The System Reserved and C: partitions
4. The C: and unallocated partitions
Luke needs to verify settings on a macOS computer to ensure that the configuration items he expects are set properly. What type of file is commonly used to store configuration settings for macOS systems?
1. The registry
2. .profile files
3. Plists
4. .config files
Ty needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select?
1. 30 days
2. 90 days
3. 1 to 2 years
4. 7 years
The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criterion is most likely to be impacted the most by this action?
1. Damage to the system or service
2. Service availability
3. Ability to preserve evidence
4. Time and resources needed to implement the strategy
After law enforcement was called because of potential criminal activity discovered as part of a forensic investigation, the officers on the scene seized three servers. When can Joe expect his servers to be returned?
1. After 30 days, which provides enough time for a reasonable imaging process
2. After 6 months, as required by law
3. After 1 year, as most cases resolve in that amount of time
4. Joe should not plan on a timeframe for return.
Piper wants to create a forensic image that third-party investigators can use but does not know what tool the third-party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image?
1. E01
2. AFF
3. RAW
4. AD1
After Janet's attempts to conceal her downloads of important corporate information were discovered, forensic investigators learned that she frequently copied work files to a USB drive. Which of the following is not a possible way to manually check her Windows workstation for a list of previously connected USB drives?
1. Check the security audit logs.
2. Check the setupapi log file.
3. Search the registry.
4. Check the user's profile.
As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture?
1. File creation dates
2. Deleted files
3. File permission data
4. File metadata
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties?
1. Customers, constituents, and media
2. Internet service providers
3. Law enforcement agencies
4. Legal counsel
What common incident response follow-up activity includes asking questions like “What additional tools or resources are needed to detect or analyze future events?”
1. Preparation
2. Lessons learned review
3. Evidence gathering
4. Procedural analysis
Suki has been asked to capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most volatile to least volatile?
1. Network traffic, CPU cache, disk drives, optical media
2. CPU cache, network traffic, disk drives, optical media
3. Optical media, disk drives, network traffic, CPU cache
4. Network traffic, CPU cache, optical media, disk drives
During an incident response process, Suki heads to a compromised system and pulls its network cable. What phase of the incident response process is Suki performing?
1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Postincident activity
Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound?
1. Create a MD5 hash
2. Create a SHA-1 hash
3. Create a SHA-2 hash
4. All of the above
What strategy does NIST suggest for identifying attackers during an incident response process?
1. Use geographic IP tracking to identify the attacker's location.
2. Contact upstream ISPs for assistance in tracking down the attacker.
3. Contact local law enforcement so that they can use law enforcement–specific tools.
4. Identifying attackers is not an important part of the incident response process.
Rick is conducting a forensic investigation of a compromised system. He knows from user reports that issues started at approximately 3:30 p.m. on June 12. Using the SANS SIFT open source forensic tool, what process should he use to determine what occurred?
1. Search the drive for all files that were changed between 3 and 4 p.m.
2. Create a Super Timeline.
3. Run antimalware and search for newly installed malware tools during that time frame.
4. Search system logs for events between 3 and 4 p.m.
Vlad believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this?
1. Review /etc/passwd and /etc/shadow for unexpected accounts.
2. Check /home/ for new user directories.
3. Review /etc/sudoers for unexpected accounts.
4. Check /etc/groups for group membership issues.
Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join?
1. An ISAC
2. A CSIRT
3. A VPAC
4. An IRT
While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here?
1. Victoria Garci's email address is tntexpress819@yahoo.com.
2. The sender sent via Yahoo.
3. The sender sent via a system in Japan.
4. The sender sent via Gmail.
Azra needs to access a macOS system but does not have the user's password. If the system is not FileVaulted, which of the following options is not a valid recovery method?
1. Use Single User mode to reset the password.
2. Use Recovery mode to recover the password.
3. Use Target Disk mode to delete the Keychain.
4. Reset the password from another privileged user account.
While performing forensic analysis of an iPhone backup, Cynthia discovers that she has only some of the information that she expects the phone to contain. What is the most likely scenario that would result in the backup she is using having partial information?
1. The backup was interrupted.
2. The backup is encrypted.
3. The backup is a differential backup.
4. The backup is stored in iCloud.
Cullen wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions?
1. A second examiner acting as a witness and countersigning all actions
2. A complete forensic log book signed and sealed by a notary public
3. A documented forensic process with required sign-off
4. Taking pictures of all independent forensic actions
Cynthia is reviewing her organization's incident response recovery process, which is outlined here. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process?
1. Change passwords before restoring from backup
2. Isolate the system before restoring from backups
3. Securely wipe the drive before restoration
4. Vulnerability scan before patching
After zero-wiping a system's hard drive and rebuilding it with all security patches and trusted accounts, Azra is notified that the system is once again showing signs of compromise. Which of the following types of malware package cannot survive this type of eradication effort?
1. An MBR-resident malware tool
2. A UEFI-resident malware
3. A BIOS-resident malware
4. A slack space–resident malware package
Patents, copyrights, trademarks, and trade secrets are all related to what type of high value asset?
1. PII
2. PHI
3. Corporate confidential
4. Intellectual property
Which of the following issues is not commonly associated with BYOD devices?
1. Increased network utilization
2. Increased device costs
3. Increased support tickets
4. Increased security risk
Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered?
1. Slack space
2. Hidden content
3. Sparse files
4. Encryption overhead
What is the minimum retention period for incident data for U.S. federal government agencies?
1. 90 days
2. 1 year
3. 3 years
4. 7 years
Kathleen is restoring a critical business system to operation after a major compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this?
1. A trusted system binary kit
2. Dynamic code analysis
3. Static code analysis
4. File rainbow tables
Sadiq wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it?
1. /etc/pam.d
2. /etc/passwd
3. /etc/auth.d
4. /etc/tfa
Mel is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST's recommendations?
1. Subnet mask, DHCP server, hostname, MAC address
2. IP addresses, MAC addresses, hostname
3. Domain, hostname, MAC addresses, IP addresses
4. NIC manufacturer, MAC addresses, IP addresses, DHCP configuration
Ryan believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections?
1. Network traffic analysis
2. Network forensics
3. Endpoint behavior analysis
4. Endpoint forensics
After submitting a suspected malware package to VirusTotal, Damian receives the following results. What does this tell Damian?
1. The submitted file contains more than one malware package.
2. Antivirus vendors use different names for the same malware.
3. VirusTotal was unable to specifically identify the malware.
4. The malware package is polymorphic, and matches will be incorrect.
Ben is investigating a potential malware infection of a laptop belonging to a senior manager in the company he works for. When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation?
1. Run an antivirus scan.
2. Disconnect the system from the network.
3. Wipe the system and reinstall.
4. Observe and record what is being typed.
Kathleen's
forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?
1. The MBR
2. Unallocated space
3. Slack space
4. The FAT
As part of a test of her network's monitoring infrastructure, Kelly uses snmpwalk to validate her router SNMP settings. She executes snmpwalk as shown here:
```
 snmpwalk -c public 10.1.10.1 -v1
 iso.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6"
 iso.3.6.1.2.1.2.0 = OID: iso.3.6.1.4.1.30800
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11
 iso.3.6.1.2.1.1.4.0 = STRING: "root"
 iso.3.6.1.2.1.1.5.0 = STRING: "RouterOS"
 ... 
```
Which of the following pieces of information is not something she can discover from this query?
1. SNMP v1 is enabled.
2. The community string is public.
3. The community string is root.
4. The contact name is root.
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these?
1. Resource Monitor
2. System Monitor
3. Activity Monitor
4. Sysradar
Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off?
1. Hibernation file analysis
2. Memory analysis
3. Boot-sector analysis
4. Brute-force cracking
Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect?
```
        destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true
        and application = http or https or tcp or unknown and content != uripath:* and content
        != contentencoding:* 
```
1. Users browsing malicious sites
2. Adware
3. Beaconing
4. Outbound port scanning
Casey's search for a possible Linux backdoor account during a forensic investigation has led her to check through the filesystem for issues. Where should she look for back doors associated with services?
1. /etc/passwd
2. /etc/xinetd.conf
3. /etc/shadow
4. $HOME/.ssh/
As an employee of the U.S. government, Megan is required to use NIST's information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident?
1. As a privacy breach
2. As an integrity loss
3. As a proprietary breach
4. As an availability breach
During what stage of an event is preservation of evidence typically handled?
1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Postincident activity
Nara is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs?
1. Login failures
2. User IDs from logins
3. Successful logins
4. Times from logins
Marta runs the command shown here while checking usage of her Linux system. Which of the following statements is true based on the information shown?
1. There are two users logged in remotely via SSH.
2. There is an active exploit in progress using the Monkeycom exploit.
3. The local system is part of the demo.com domain.
4. The system is not providing any UDP services.
Lukas wants to purge a drive to ensure that data cannot be extracted from it when it is sent off-site. Which of the following is not a valid option for purging hard drives on a Windows system?
1. Use the built-in Windows sdelete command line.
2. Use Eraser.
3. Use DBAN.
4. Encrypt the drive and then delete the key.
The company that Charlene works for has been preparing for a merger, and during a quiet phase she discovers that the corporate secure file server that contained the details of the merger has been compromised. As she works on her incident summary report, how should she most accurately categorize the data that was breached?
1. PII
2. PHI
3. PCI
4. Corporate confidential data
Which of the following is not a valid use case for live forensic imaging?
1. Malware analysis
2. Encrypted drives
3. Postmortem forensics
4. Nonsupported filesystems
Which of the following commands is the standard way to determine how old a user account is on a Linux system if [username] is replaced by the user ID that you are checking?
1. userstat [username]
2. ls -ld /home/[username]
3. aureport -auth | grep [username]
4. None of the above
Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created?
1. Dynamic analysis
2. Anomaly analysis
3. Static analysis
4. Behavioral analysis
While reviewing the actions taken during an incident response process, Mei is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows system restore point. Which of the following items will a Windows system restore return to a previous state?
1. Personal files
2. Malware
3. Windows system files
4. All installed apps
During a major incident response effort, Kobe discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data?
1. Reboot the server and mount the system drive using a USB-bootable forensic suite.
2. Create an image using a tool like FTK Imager Lite.
3. Capture the system memory using a tool like Volatility.
4. Install and run an imaging tool on the live server.
Manish wants to monitor file permission changes on a Windows system he is responsible for. What audit category should he enable to allow this?
1. File Permissions
2. User Rights
3. File System
4. Audit Objects
Manish finds the following entries on a Linux system in /var/log/auth.log. If he is the only user with root privileges, requires two-factor authentication to log in as root, and did not take the actions shown, what should he check for?
1. A hacked root account
2. A privilege escalation attack from a lower privileged account or service
3. A malware infection
4. A RAT
A
disgruntled former employee uses the systems she was responsible for to slow down the network that Chris is responsible for protecting during a critical business event. What NIST threat classification best fits this type of attack?
1. Impersonation
2. Attrition
3. Improper usage
4. Web
As part of his forensic analysis of a series of photos, John runs exiftool for each photo. He receives the following listing from one photo. What useful forensic information can he gather from this photo?
1. The original creation date, the device type, the GPS location, and the creator's name
2. The endian order of the file, the file type, the GPS location, and the scene type
3. The original creation date, the device type, the GPS location, and the manufacturer of the device
4. The MIME type, the GPS time, the GPS location, and the creator's name
During the preparation phase of his organization's incident response process, Oscar gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of preprepared equipment commonly called?
1. A grab bag
2. A jump kit
3. A crash cart
4. A first responder kit
Chris is analyzing Chrome browsing information as part of a forensic investigation. After querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as “visit time” listed with a value of 131355792940000000. What conversion does he need to perform on this data to make it useful?
1. The value is in seconds since January 1, 1970.
2. The value is in seconds since January 1, 1601.
3. The value is a Microsoft timestamp and can be converted using the time utility.
4. The value is an ISO 8601–formatted date and can be converted with any ISO time utility.
Marsha needs to ensure that the workstations she is responsible for have received a critical Windows patch. Which of the following methods should she avoid using to validate patch status for Windows 10 systems?
1. Check the Update History manually.
2. Run the Microsoft Baseline Security Analyzer.
3. Create and run a PowerShell script to search for the specific patch she needs to check.
4. Use an endpoint configuration manager to validate patch status for each machine on her domain.
As John proceeds with a forensic investigation involving numerous images, he finds a directory labeled Downloaded from Facebook. The images appear relevant to his investigation, so he processes them for metadata using exiftool. The following image shows the data provided. What forensically useful information can John gather from this output?
1. The original file creation date and time
2. The device used to capture the image
3. The original digest (hash) of the file, allowing comparison to the original
4. None; Facebook strips almost all useful metadata from images.
The hospital that Tony works at is required to be HIPAA compliant and needs to protect HIPAA data. Which of the following is not an example of PHI?
1. Names of individuals
2. Records of health care provided
3. Records of payment for healthcare
4. Individual educational records
Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to?
1. US-CERT
2. The National Cyber Security Authority
3. The National Cyber Security Centre
4. CERT/CC
Which of the following properly lists the order of volatility from least volatile to most volatile?
1. Printouts, swap files, CPU cache, RAM
2. Hard drives, USB media, DVDs, CD-RWs
3. DVDs, hard drives, virtual memory, caches
4. RAM, swap files, SSDs, printouts
Joe wants to recover the passwords for local Windows users on a Windows workstation. Where are the password hashes stored?
1. C:\Windows\System32\passwords
2. C:\Windows\System32\config
3. C:\Windows\Secure\config
4. C:\Windows\Secure\accounts
While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2020.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred?
1. Microsoft Word files are stored in ZIP format.
2. Microsoft Word files are encrypted.
3. Microsoft Word files can be opened only by Microsoft Word.
4. The user has used antiforensic techniques to scramble the data.
Singh is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image?
1. Memory resources are available.
2. Memory resources are available but being tasked by memory management processes.
3. Memory resources are in danger, and applications will be terminated to free up memory.
4. Memory resources are depleted, and the disk has begun to swap.
Lukas believes that one of his users has attempted to use built-in Windows commands to probe servers on the network he is responsible for. How can he recover the command history for that user if the system has been rebooted since the reconnaissance has occurred?
1. Check the Bash history.
2. Open a command prompt window and press F7.
3. Manually open the command history from the user's profile directory.
4. The Windows command prompt does not store command history.
While conducting a wireless site survey, Susan discovers two wireless access points that are both using the same MAC address. When she attempts to connect to each, she is sent to a login page for her organization. What should she be worried about?
1. A misconfigured access point
2. A vendor error
3. An evil twin attack
4. A malicious MAC attack
During an incident response effort, Alex discovers a running Unix process that shows that it was run using the command nc -k -l 6667. He does not recognize the service, believes it may be a malicious process, and needs assistance in determining what it is. Which of the following would best describe what he has encountered?
1. An IRC server
2. A network catalog server
3. A user running a shell command
4. A netcat server
Angela is conducting an incident response exercise and needs to assess the economic impact to her organization of a $500,000 expense related to an information security incident. How should she categorize this?
1. Low impact
2. Medium impact
3. High impact
4. Angela cannot assess the impact with the data given.
Saanvi needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly?
1. Monitor traffic by running Wireshark or tcpdump on the system.
2. Configure a unique event ID and send it.
3. Monitor traffic by running Wireshark or tcpdump on the SIEM device.
4. Generate a known event ID and monitor for it.
Susan wants to protect the Windows workstations in her domain from buffer overflow attacks. What should she recommend to the domain administrators at her company?
1. Install an antimalware tool.
2. Install an antivirus tool.
3. Enable DEP in Windows.
4. Set VirtualAllocProtection to 1 in the registry.
What step follows sanitization of media according to NIST guidelines for secure media handling?
1. Reuse
2. Validation
3. Destruction
4. Documentation
Latisha wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them?
1. A chain-of-custody log
2. Tamper-proof seals
3. System logs
4. None of the above
Matt's incident response team has collected log information and is working on identifying attackers using that information. What two stages of the NIST incident response process is his time working in?
1. Preparation and containment, eradication, and recovery
2. Preparation and postincident activity
3. Detection and analysis, and containment, eradication, and recovery
4. Containment, eradication, and recovery and postincident activity
Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed?
1. Manual code reversing
2. Interactive behavior analysis
3. Static property analysis
4. Dynamic code analysis
Raj discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure?
1. Data was modified.
2. The source disk is encrypted.
3. The destination disk has bad sectors.
4. The data cannot be copied in RAW format.
Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using?
1. Sandboxing
2. Reverse engineering
3. Malware disassembly
4. Darknet analysis
Liam notices the following entries in his Squert web console (a web console for Sguil IDS data). What should he do next to determine what occurred?
1. Review SSH logs.
2. Disable SSH and then investigate further.
3. Disconnect the server from the Internet and then investigate.
4. Immediately change his password.
Latisha wants to avoid running a program installed by a user that she believes is set with a RunOnce key in the Windows registry but needs to boot the system. What can she do to prevent RunOnce from executing the programs listed in the registry key?
1. Disable the registry at boot.
2. Boot into Safe Mode.
3. Boot with the -RunOnce flag.
4. RunOnce cannot be disabled; she will need to boot from external media to disable it first.
Pranab wants to determine when a USB device was first plugged into a Windows workstation. What file should he check for this information?
1. The registry
2. The setupapi log file
3. The system log
4. The data is not kept on a Windows system.
A major new botnet infection that uses a peer-to-peer command-and-control process has been released. Latisha wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems?
1. Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature.
2. Use beaconing detection scripts focused on the command-and-control systems.
3. Capture network flows for all hosts and use filters to remove normal traffic types.
4. Immediately build a network traffic baseline and analyze it for anomalies.
Which of the following activities is not part of the containment and restoration process?
1. Minimizing loss
2. Identifying the attacker
3. Limiting service disruption
4. Rebuilding compromised systems
Samantha has recently taken a new position as the first security analyst that her employer has ever had on staff. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Samantha plans to start up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise?
1. An incident response policy
2. An operations manual
3. An incident response program
4. A playbook
What type of attack behavior is shown here?
1. Kernel override
2. RPC rewrite
3. Buffer overflow
4. Heap hack
While investigating a compromise, Jack discovers four files that he does not recognize and believes may be malware. What can he do to quickly and effectively check the files to see whether they are malware?
1. Submit them to a site like VirusTotal.
2. Open them using a static analysis tool.
3. Run strings against each file to identify common malware identifiers.
4. Run a local antivirus or antimalware tool against them.
Alexandra is attempting to determine why a Windows system keeps filling its disk. If she wants to see a graphical view of the contents of the disk that allows her to drill down on each cluster, what Sysinternals tool should she use?
1. du
2. df
3. GraphDisk
4. DiskView
What useful information cannot be determined from the contents of the $HOME/.ssh folder when conducting forensic investigations of a Linux system?
1. Remote hosts that have been connected to
2. Private keys used to log in elsewhere
3. Public keys used for logins to this system
4. Passphrases associated with the keys
John believes that the image files he has encountered during a forensic investigation were downloaded from a site on the Internet. What tool can John use to help identify where the files were downloaded from?
1. Google reverse image search
2. Tineye
3. Bing Image Match
4. All of the above
Brian's network suddenly stops working at 8:40 a.m., interrupting videoconferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his PRTG console and checks his router's traffic via the primary connection's redundant network link, he sees the following graph. What should Brian presume occurred based on this information?
1. The network failed and is running in cached mode.
2. There was a link card failure, and the card recovered.
3. His primary link went down, and he should check his secondary link for traffic.
4. PRTG stopped receiving flow information and needs to be restarted.
Carlos needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following is not a method that he could use to acquire the BitLocker key?
1. Analyzing the hibernation file
2. Analyzing a memory dump file
3. Retrieving the key from the MBR
4. Performing a FireWire attack on mounted drives
Adam works for a large university and sees the following graph in his PRTG console when looking at a yearlong view. What behavioral analysis could he leverage based on this pattern?
1. Identify unexpected traffic during breaks like the low point at Christmas.
2. He can determine why major traffic drops happen on weekends.
3. He can identify top talkers.
4. Adam cannot make any behavioral determinations based on this chart.
What is space between the last sector containing logical data and the end of the cluster called?
1. Unallocated space
2. Ephemeral space
3. Slack space
4. Unformatted space
Faruk wants to use netstat to get the process name, the PID, and the username associated with abnormally behaving processes that are running on a Linux system he is investigating. What netstat flags will provide him with this information?
1. -na
2. -pt
3. -pe
4. -sa
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice?
1. It will create a crash log, providing useful memory forensic information.
2. It will prevent shutdown scripts from running.
3. It will create a memory dump, providing useful forensic information.
4. It will cause memory-resident malware to be captured, allowing analysis.
Amanda has been tasked with acquiring data from an iPhone as part of a mobile forensics effort. At what point should she remove the SIM (or UICC) card from the device if she receives the device in a powered-on state?
1. While powered on, but after logical collection
2. While powered on, prior to logical collection
3. While powered off, after logical collection
4. While powered off, before logical collection
Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities?
1. Wapiti
2. nmap
3. OpenVAS
4. ZAP
What is the key goal of the containment stage of an incident response process?
1. To limit leaks to the press or customers
2. To limit further damage from occurring
3. To prevent data exfiltration
4. To restore systems to normal operation
What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption?
1. Level 1: Manual extraction
2. Level 2: Logical extraction
3. Level 3: JTAG or HEX dumping
4. Level 4: Chip extraction
Wang is performing a forensic analysis of a Windows 10 system and wants to provide an overview of usage of the system using information contained in the Windows registry. Which of the following is not a data element she can pull from the SAM?
1. Password expiration setting
2. User account type
3. Number of logins
4. The first time the account logged in
Samantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks?
1. They involve sophisticated DDoS attacks.
2. They quietly gather information from compromised systems.
3. They rely on worms to spread.
4. They use encryption to hold data hostage.
During an incident response process, Alice is assigned to gather details about what data was accessed, if it was exfiltrated, and what type of data was exposed. What type of analysis is she doing?
1. Information impact analysis
2. Economic impact analysis
3. Downtime analysis
4. Recovery time analysis
Carol has discovered an attack that appears to be following the process flow shown here. What type of attack should she identify this as?
1. Phishing
2. Zero-day exploit
3. Whaling
4. Advanced persistent threat
Refer to the image shown here for questions 200–202.
During an e-discovery process, Carol reviews the request from opposing counsel and builds a list of all of the individuals identified. She then contacts the IT staff who support each person to request a list of their IT assets. What phase of the EDRM flow is she in?
1. Information governance
2. Identification
3. Preservation
4. Collection
During the preservation phase of her work, Carol discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization's policies. What should Carol do?
1. Conduct a forensic recovery of the data.
2. Create synthetic data to replace the missing data.
3. Report the issue to counsel.
4. Purge any other data related to the request based on the same policy.
What phase should Carol expect to spend the most person-hours in?
1. Identification
2. Collection and preservation
3. Processing, review, and analysis
4. Production
The incident response kit that Cassandra is building is based around a powerful laptop so that she can perform on-site drive acquisitions and analysis. If she expects to need to acquire data from SATA, IDE, SSD, and flash drives, what item should she include in her kit?
1. A write blocker
2. A USB hard drive
3. A multi-interface drive adapter
4. A USB-C cable
Which of the following items is not typically found in corporate forensic kits?
1. Write blockers
2. Crime scene tape
3. Label makers
4. Decryption tools
What incident response tool should Kai build prior to an incident to ensure that staff can reach critical responders when needed?
1. A triage triangle
2. A call list
3. A call rotation
4. A responsibility matrix
While performing process analysis on a compromised Linux system, Kai discovers a process called “john” that is running. What should she identify as the most likely use of the program?
1. Password cracking
2. Privilege escalation
3. A rootkit
4. A user named John's personal application
Which of the following organizations is not typically involved in postincident communications?
1. Developers
2. Marketing
3. Public relations
4. Legal
While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100 percent processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next?
1. Review the sites visited by the web browser when the CPU utilization issues occur
2. Check the browser binary against a known good version
3. Reinstall the browser
4. Disable TLS
Mika finds that the version of Java installed on her organization's web server has been replaced. What type of issue is this best categorized as?
1. Unauthorized software
2. An unauthorized change
3. Unexpected input
4. A memory overflow
Greg finds a series of log entries in his Apache logs showing long strings "AAAAAAAAAAAAAAAAAAAAAAA", followed by strings of characters. What type of attack has he most likely discovered?
1. A SQL injection attack
2. A denial-of-service attack
3. A buffer overflow attack
4. A PHP string-ring attack
Barb wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively?
1. A log analysis tool
2. A behavior-based analysis tool
3. A signature-based detection tool
4. Manual analysis
Tom is building his incident response team and is concerned about how the organization will address insider threats. Which business function would be most capable of assisting with the development of disciplinary policies?
1. Information security
2. Human resources
3. Legal counsel
4. Senior management
Which one of the following data elements would constitute sensitive personal information (SPI) under the European Union's General Data Protection Regulation?
1. Driver's license number
2. Sexual orientation
3. Bank account number
4. Address
During a security incident, Joanna makes a series of changes to production systems to contain the damage. What type of change should she file in her organization's change control process when the response effort is concluding?
1. Routine change
2. Priority change
3. Emergency change
4. Pre-approved change
Which one of the following incident response test types provides an interactive exercise for the entire team but does not run the risk of disrupting normal business activity?
1. Full interruption test
2. Checklist review
3. Management review
4. Tabletop exercise
Greg suspects that an attacker is running an SSH server on his network over a nonstandard port. What port is normally used for SSH communications?
1. 21
2. 22
3. 443
4. 444
Amanda is reviewing the security of a system that was previously compromised. She is searching for signs that the attacker has achieved persistence on the system. Which one of the following should be her highest priority to review?
1. Scheduled tasks
2. Network traffic
3. Running processes
4. Application logs
Which of the following cloud service environments is likely to provide the best available information for forensic analysis?
1. SaaS
2. IaaS
3. PaaS
4. IDaaS
Ken is helping his organization prepare for future incident response efforts and would like to ensure that they conduct regular training exercises. Which one of the following exercises could he use to remind incident responders of their responsibilities with the least impact on other organizational priorities?
1. Checklist review
2. Structured walkthrough
3. Capture the flag
4. Tabletop exercise
When analyzing network traffic for indicators of compromise, which one of the following service/port pairings would indicate a common protocol running on a non-standard port?
1. HTTPS on TCP port 443
2. RDP on TCP port 3389
3. SSH on TCP port 1433
4. HTTP on TCP port 80
Camilla is participating in the eradication and recovery stage of an incident response process. Which one of the following activities would not normally occur during this phase?
1. Vulnerability mitigation
2. Restoration of permissions
3. Verification of logging/communication to security monitoring
4. Analysis of drive capacity consumption
Craig is revising his organization’s incident response plan and wants to ensure that the plan includes coordination with all relevant internal and external entities. Which one of the following stakeholders should he be most cautious about coordinating with?
1. Regulatory bodies
2. Senior leadership
3. Legal
4. Human resources