Which of the following can be determined by capturing and analyzing network traffic?
A. Intent of Insider Threat actors and logs of their
... [Show More] activity
B. Communication and connections between hosts
C. Open files and Registry handles on individual hosts
D. Firewall and Intrusion Detection rules for the gateway CORRECT ANSWER B. Communication and connections between hosts
Which of the following is a method to detect an incident?
A. IDS alarm
B. Log analysis
C. 3rd Party Information
D. Public or attacker announcement
E. All of the above
F. None of the above CORRECT ANSWER E. All of the above
Which of the following describes hash analysis?
A. Validating file integrity by matching before and after hash values
B. Organizing data sets into key and hash value pairs
C. Matching file hash values against a set of known hash values
D. Identifying file types by analyzing individual hash values CORRECT ANSWER C. Matching file hash values against a set of known hash values
Which of the following is NOT a goal of triage?
A. Quickly identify indicators of compromise
B. Identify vectors used to compromise the systems
C. Determine normal and abnormal network behavior
D. Determine which systems require in-depth analysis CORRECT ANSWER C. Determine normal and abnormal network behavior
What is the order of the stages of attacker methodology?
A. Foot printing, Vulnerability Exploitation, Foothold, Damage
B. Foot printing, Foothold, Vulnerability Exploitation, Damage
C. Foot printing, Vulnerability Exploitation, Damage, Foothold
D. Vulnerability exploitation, Foot printing, Foothold, Damage CORRECT ANSWER A. Foot printing, Vulnerability Exploitation, Foothold, Damage
Why are analysis of file signatures and file extensions helpful to investigators?
A. They can identify what the file type is and what the OS will try to open it with
B. They can determine if the file was corrupted during transfer
C. They can indicate obfuscation by showing when signatures and extensions do not match
D. They can show if the file was executed by a user or if it was a drive-by download CORRECT ANSWER C. They can indicate obfuscation by showing when signatures and extensions do not match
Subjective data has no purpose in Incident Response considerations.
A. True
B. False CORRECT ANSWER B. False
What is the purpose of a write-block device?
A. To deny a system from communicating on a network
B. To prevent changes to a piece of digital evidence
C. To prevent malware from being written to a hard drive
D. To queue system writes to prevent congestion when writing to the drive CORRECT ANSWER B. To prevent changes to a piece of digital evidence
Why is it important to check At/Scheduled Tasks, Startup folders, Registry HKCU/HKLM, DLL replacements and Web browser extensions?
A. These are areas where insider threat actors typically hide evidence of their activity
B. These are areas to check for malware persistence
C. These areas can be overwritten by newer records especially on new systems with high level of events generated
D. These areas are often compressed and encrypted to bypass security sensors CORRECT ANSWER B. These are areas to check for malware persistence
A forensic image is:
A. A picture taken of the physical components of a compromised system
B. The documentation surrounding a piece of evidence
C. A zipped container of all forensic evidence regarding a specific incident
D. An identical copy of a piece of digital evidence CORRECT ANSWER D. An identical copy of a piece of digital evidence
RAM is volatile data and collected while the system is still running, as it will be lost when power is removed. [Show Less]