FedVTE Cyber Security Investigations 30 Questions with Verified Answers
Which of the following can be determined by capturing and analyzing network
... [Show More] traffic?
A. Intent of Insider Threat actors and logs of their activity
B. Communication and connections between hosts
C. Open files and Registry handles on individual hosts
D. Firewall and Intrusion Detection rules for the gateway - CORRECT ANSWER B. Communication and connections between hosts
Which of the following is a method to detect an incident?
A. IDS alarm
B. Log analysis
C. 3rd Party Information
D. Public or attacker announcement
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
Which of the following describes hash analysis?
A. Validating file integrity by matching before and after hash values
B. Organizing data sets into key and hash value pairs
C. Matching file hash values against a set of known hash values
D. Identifying file types by analyzing individual hash values - CORRECT ANSWER C. Matching file hash values against a set of known hash values
Which of the following is NOT a goal of triage?
A. Quickly identify indicators of compromise
B. Identify vectors used to compromise the systems
C. Determine normal and abnormal network behavior
D. Determine which systems require in-depth analysis - CORRECT ANSWER C. Determine normal and abnormal network behavior
What is the order of the stages of attacker methodology?
A. Footprinting, Vulnerability Exploitation, Foothold, Damage
B. Footprinting, Foothold, Vulnerability Exploitation, Damage
C. Footprinting, Vulnerability Exploitation, Damage, Foothold
D. Vulnerability exploitation, Footprinting, Foothold, Damage - CORRECT ANSWER A. Footprinting, Vulnerability Exploitation, Foothold, Damage
Why are analysis of file signatures and file extensions helpful to investigators?
A. They can identify what the file type is and what the OS will try to open it with
B. They can determine if the file was corrupted during transfer
C. They can indicate obfuscation by showing when signatures and extensions do not match
D. They can show if the file was executed by a user or if it was a drive-by download - CORRECT ANSWER C. They can indicate obfuscation by showing when signatures and extensions do not match
Subjective data has no purpose in Incident Response considerations.
A. True
B. False - CORRECT ANSWER B. False
What is the purpose of a write-block device?
A. To deny a system from communicating on a network
B. To prevent changes to a piece of digital evidence
C. To prevent malware from being written to a hard drive
D. To queue system writes to prevent congestion when writing to the drive - CORRECT ANSWER B. To prevent changes to a piece of digital evidence
Why is it important to check At/Scheduled Tasks, Startup folders, Registry HKCU/HKLM, DLL replacements and Web browser extensions?
A. These are areas where insider threat actors typically hide evidence of their activity
B. These are areas to check for malware persistence
C. These areas can be overwritten by newer records especially on new systems with high level of events generated
D. These areas are often compressed and encrypted to bypass security sensors - CORRECT ANSWER B. These are areas to check for malware persistence
A forensic image is:
A. A picture taken of the physical components of a compromised system
B. The documentation surrounding a piece of evidence
C. A zipped container of all forensic evidence regarding a specific incident
D. An identical copy of a piece of digital evidence - CORRECT ANSWER D. An identical copy of a piece of digital evidence
RAM is volatile data and collected while the system is still running, as it will be lost when power is removed.
A. True
B. False - CORRECT ANSWER A. True
Installing patches, disabling services, removing accounts, and re-imaging systems are example methods of:
A. Collection
B. Containment
C. Detection
D. Eradication
E. All of the above
F. None of the above - CORRECT ANSWER D. Eradication
Which of the following best describes the difference between physical and logical images?
A. Physical images are obtained using a physical imaging devices and logical images use software to create an image
B. Physical images are bit for bit duplicates of an entire device and logical images only collect information readable by the filesystem
C. Physical images can only be collected on site and logical images can only be collected using remote imaging techniques
D. Physical and logical images both collect all information on the media device but only logical images can collect files in memory - CORRECT ANSWER B. Physical images are bit for bit duplicates of an entire device and logical images only collect information readable by the filesystem
Once an intruder has identified targets to attack and the vulnerabilities to exploit, they will begin their attack. Which phase of the attacker methodology does this fall under?
A. Breach
B. Enumeration
C. Exploitation
D. Extortion
E. Footprinting - CORRECT ANSWER C. Exploitation
What stage of the Digital Forensics Life Cycle does the following describe?: Training of personnel, enabling monitoring capabilities, and configuring tools to meet needs.
A. Acquisition/Development
B. Operations/Maintenance
C. Disposal/Transition
D. Implementation/Assessment - CORRECT ANSWER D. Implementation/Assessment
What are MAC timestamps?
A. The dates and times a MAC address was configured on a NIC
B. Times that determine when packets passed through a router or switch
C. Metadata timestamps on files that are valuable but should be carefully evaluated
D. A Macintosh file system method of recording activity - CORRECT ANSWER C. Metadata timestamps on files that are valuable but should be carefully evaluated
An on-site forensics team is always more cost effective for organizations than hiring an off-site team.
A. True
B. False - CORRECT ANSWER B. False
What is Netflow?
A. It is a protocol used to map a computer network address to a hardware address
B. It is a program that locally collects information about Windows computers
C. It is a protocol that allows the user to view all traffic on a SPAN port
D. It is a protocol developed by Cisco to track and examine traffic volume - CORRECT ANSWER D. It is a protocol developed by Cisco to track and examine traffic volume
The primary reason for forensically preparing media is:
A. To ensure there is adequate space to run tools and equipment
B. To ensure that there is no residual data from previous use
C. To ensure media is able to copy and share data
D. To ensure that media is compatible with the system - CORRECT ANSWER B. To ensure that there is no residual data from previous use
Which of the following would return subjective data?
A. Was the team adequately prepared and trained?
B. How many systems were affected?
C. What indicators were identified or missed?
D. What was the timeline of the incident response and forensic analysis? - CORRECT ANSWER A. Was the team adequately prepared and trained?
Which of the following can cause a compromise in evidentiary value?
A. Breaks in chain of custody
B. Evidence that has been changed
C. Evidence collected without proper techniques
D. Failure to comply with the law during evidence collection
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
What makes the Eradication phase of Incident Response difficult?
A. All compromised systems must be cleaned because a single missed system can re-allow access
B. Stopping an intrusion in progress introduces new risks and potential vulnerabilities to the network
C. Eradicating the intrusion must wait until all legal action is completed
D. During eradication every system must be removed from the network and re-built from scratch - CORRECT ANSWER A. All compromised systems must be cleaned because a single missed system can re-allow access
Locard's Principle speculates that:
A. Every piece of evidence must pass the verifiability, repeatability, and traceability test
B. Every system connected to another must be identifiable
C. Every 'contact' between two people or systems will leave a trace
D. Every 'contact' between two people or systems will be logged - CORRECT ANSWER C. Every 'contact' between two people or systems will leave a trace
RAM may contain which of the following types of information?
A. Open File
B. Network Connections
C. Running processes
D. Logged on users
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
What is a "Hive"?
A. An area the Macintosh file system uses to maintain the relationships between files and directories on a volume
B. A key part of the Linux file system that contains UIDs, GIDs, modification, access, creation times, and file locations
C. A collection of discrete files that contains a registry tree and root key
D. A subnet that contains honeypots - CORRECT ANSWER C. A collection of discrete files that contains a registry tree and root key
With incident response, the activity of assigning levels of urgency to individual devices under examination, and followed by processing the devices in the identified order, is known as:
A. Favoring
B. Scaling
C. Triage
D. Vetting - CORRECT ANSWER C. Triage
When responding to an incident, which type of data should be collected first?
A. Archived logs
B. Flash media
C. Interviews
D. Volatile data - CORRECT ANSWER D. Volatile data
Which of the following refers to the documentation of and actions on evidence that is going to be used as part of an investigation?
A. Evidentiary consideration
B. Chain of custody
C. Traceability of custody
D. Evidentiary verifiability - CORRECT ANSWER B. Chain of custody
Hash values can be calculated for any file or data set, including full hard drives.
A. True
B. False - CORRECT ANSWER A. True
Which of the following best describes data carving?
A. Data carving is the process of segmenting data by device in order to prevent evidence corruption
B. Data carving is the process of searching through a drive for file signatures to identify remnants of files
C. Data carving is the process of rendering a file unreadable to unauthorized persons or devices
D. Data carving is the process of copying a file while ensuring that the original file is unchanged during the copy process for submission in a court of law - CORRECT ANSWER B. Data carving is the process of searching through a drive for file signatures to identify remnants of files [Show Less]