Which of the following can be determined by capturing and analyzing network traffic?
A. Intent of Insider Threat actors and logs of their activity
... [Show More]
B. Communication and connections between hosts
C. Open files and Registry handles on individual hosts
D. Firewall and Intrusion Detection rules for the gateway
B. Communication and connections between hosts
Which of the following is a method to detect an incident?
A. IDS alarm
B. Log analysis
C. 3rd Party Information
D. Public or attacker announcement
E. All of the above
F. None of the above
E. All of the above
Which of the following describes hash analysis?
A. Validating file integrity by matching before and after hash values
B. Organizing data sets into key and hash value pairs
C. Matching file hash values against a set of known hash values
D. Identifying file types by analyzing individual hash values
C. Matching file hash values against a set of known hash values
Which of the following is NOT a goal of triage?
A. Quickly identify indicators of compromise
B. Identify vectors used to compromise the systems
C. Determine normal and abnormal network behavior
D. Determine which systems require in-depth analysis
C. Determine normal and abnormal network behavior
What is the order of the stages of attacker methodology?
A. Footprinting, Vulnerability Exploitation, Foothold, Damage
B. Footprinting, Foothold, Vulnerability Exploitation, Damage
C. Footprinting, Vulnerability Exploitation, Damage, Foothold
D. Vulnerability exploitation, Footprinting, Foothold, Damage
A. Footprinting, Vulnerability Exploitation, Foothold, Damage
Why are analysis of file signatures and file extensions helpful to investigators?
A. They can identify what the file type is and what the OS will try to open it with
B. They can determine if the file was corrupted during transfer
C. They can indicate obfuscation by showing when signatures and extensions do not match
D. They can show if the file was executed by a user or if it was a drive-by download
C. They can indicate obfuscation by showing when signatures and extensions do not match
Subjective data has no purpose in Incident Response considerations.
A. True
B. False
B. False
What is the purpose of a write-block device?
A. To deny a system from communicating on a network
B. To prevent changes to a piece of digital evidence
C. To prevent malware from being written to a hard drive
D. To queue system writes to prevent congestion when writing to the drive
B. To prevent changes to a piece of digital evidence
Why is it important to check At/Scheduled Tasks, Startup folders, Registry HKCU/HKLM, DLL replacements and Web browser extensions?
A. These are areas where insider threat actors typically hide evidence of their activity
B. These are areas to check for malware persistence
C. These areas can be overwritten by newer records especially on new systems with high level of events generated
D. These areas are often compressed and encrypted to bypass security sensors
B. These are areas to check for malware persistence
A forensic image is:
A. A picture taken of the physical components of a compromised system
B. The documentation surrounding a piece of evidence
C. A zipped container of all forensic evidence regarding a specific incident
D. An identical copy of a piece of digital evidence
D. An identical copy of a piece of digital evidence
RAM is volatile data and collected while the system is still running, as it will be lost when power is removed.
A. True
B. False
A. True
Installing patches, disabling services, removing accounts, and re-imaging systems are example methods of:
A. Collection
B. Containment
C. Detection
D. Eradication
E. All of the above
F. None of the above
D. Eradication
Which of the following best describes the difference between physical and logical images?
A. Physical images are obtained using a physical imaging devices and logical images use software to create an image
B. Physical images are bit for bit duplicates of an entire device and logical images only collect information readable by the filesystem
C. Physical images can only be collected on site and logical images can only be collected using remote imaging techniques
D. Physical and logical images both collect all information on the media device but only logical images can collect files in memory
B. Physical images are bit for bit duplicates of an entire device and logical images only collect information readable by the filesystem
Once an intruder has identified targets to attack and the vulnerabilities to exploit, they will begin their attack. Which phase of the attacker methodology does this fall under?
A. Breach
B. Enumeration
C. Exploitation
D. Extortion
E. Footprinting
C. Exploitation
What stage of the Digital Forensics Life Cycle does the following describe?: Training of personnel, enabling monitoring capabilities, and configuring tools to meet needs.
A. Acquisition/Development
B. Operations/Maintenance
C. Disposal/Transition
D. Implementation/Assessment
D. Implementation/Assessment
What are MAC timestamps?
A. The dates and times a MAC address was configured on a NIC
B. Times that determine when packets passed through a router or switch
C. Metadata timestamps on files that are valuable but should be carefully evaluated
D. A Macintosh file system method of recording activity
C. Metadata timestamps on files that are valuable but should be carefully evaluated
An on-site forensics team is always more cost effective for organizations than hiring an off-site team.
A. True
B. False
B. False
What is Netflow?
A. It is a protocol used to map a computer network address to a hardware address
B. It is a program that locally collects information about Windows computers
C. It is a protocol that allows the user to view all traffic on a SPAN port
D. It is a protocol developed by Cisco to track and examine traffic volume
D. It is a protocol developed by Cisco to track and examine traffic volume
The primary reason for forensically preparing media is:
A. To ensure there is adequate space to run tools and equipment
B. To ensure that there is no residual data from previous use
C. To ensure media is able to copy and share data
D. To ensure that media is compatible with the system
B. To ensure that there is no residual data from previous use
Which of the following would return subjective data?
A. Was the team adequately prepared and trained?
B. How many systems were affected?
C. What indicators were identified or missed?
D. What was the timeline of the incident response and forensic analysis?
A. Was the team adequately prepared and trained?
Which of the following can cause a compromise in evidentiary value?
A. Breaks in chain of custody
B. Evidence that has been changed
C. Evidence collected without proper techniques
D. Failure to comply with the law during evidence collection
E. All of the above
F. None of the above
E. All of the above
What makes the Eradication phase of Incident Response difficult?
A. All compromised systems must be cleaned because a single missed system can re-allow access
B. Stopping an intrusion in progress introduces new risks and potential vulnerabilities to the network
C. Eradicating the intrusion must wait until all legal action is completed
D. During eradication every system must be removed from the network and re-built from scratch
A. All compromised systems must be cleaned because a single missed system can re-allow access
Locard's Principle speculates that:
A. Every piece of evidence must pass the verifiability, repeatability, and traceability test
B. Every system connected to another must be identifiable
C. Every 'contact' between two people or systems will leave a trace
D. Every 'contact' between two people or systems will be logged
C. Every 'contact' between two people or systems will leave a trace
RAM may contain which of the following types of information?
A. Open File
B. Network Connections
C. Running processes
D. Logged on users
E. All of the above
F. None of the above
E. All of the above [Show Less]