CSA+ CH 3 Cyber Incident Response 1/2
Lauren wants to create a forensic image that third-party investigators can use but does not know what tool the third-party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image? E01 AFF RAW AD1
C. A RAW image, like those created by dd, is Lauren's best option for broad compatibility. Many forensic tools support multiple image formats, but RAW files are supported almost universally by forensic tools.
Which of the following commands is not useful for determining the list of network interfaces on a Linux system? ifconfig netstat -i ip link show intf -q
D. ifconfig, netstat -i, and ip link show will all display a list of the network interfaces for a Linux system. The intf command is made up for this question.
What Windows memory protection methodology is shown here? Diagram shows two boxes labeled first boot (user32, kernel32, Chrome, SysMain) and second boot (kernel32, user32, SysMain, edge). DEP ASLR StackProtect MemShuffle
B. Address Space Layout Randomization (ASLR) is a technique used to prevent buffer overflows and stack smashing attacks from being able to predict where executable code resides in the heap. DEP is Data Execution Protection, and both StackProtect and MemShuffle were made up for this question.
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? SNMP Portmon Packet sniffing Netflow
B. SNMP, packet sniffing, and netflow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool you'd use to watch your network's bandwidth usage!
Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times? Cell phone GPS logs Photograph metadata Cell phone tower logs Microsoft Office document metadata
D. Cell phones contain a treasure trove of location data including both tower connection log data and GPS location logs in some instances. Photographs taken on mobile devices may also include location metadata. Microsoft Office files do not typically include location information. Other potential sources of data include car GPS systems if the individual has a car with built-in GPS, black-box data-gathering systems, social media posts, and fitness software, as well as any other devices that may have built-in GPS or location detection capabilities. In some cases, this can be as simple as determining whether the individual's devices were connected to a specific network at a specific time.
The company that Brian works for processes credit cards and is required to be compliant with PCI-DSS. If Brian's company experiences a breach of card data, what type of disclosure will they be required to provide? Notification to local law enforcement Notification to their acquiring bank Notification to federal law enforcement Notification to Visa and MasterCard
B. Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers. Notification to the bank is part of this type of response effort. Requiring notification of law enforcement is unlikely, and the card provider listing specifies only two of the major card vendors, none of which are specified in the question.
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? Logical Bit-by-bit Sparse None of the above
A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric's case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.
A server in the data center that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? Flow logs with heuristic analysis SNMP monitoring with heuristic analysis Flow logs with signature based detection SNMP monitoring with signature-based detection
A. Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his data center connect to domains that are not already whitelisted and should strongly consider whether servers should be allowed to initiate outbound connections at all!
During their organization's incident response preparation, Charles and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Charles and Linda classify this information? PII Intellectual property PHI PCI-DSS
A. Personally identifiable information (PII) includes information that can be used to identify, contact, or locate a specific individual. At times, PII must be combined with other data to accomplish this but remains useful for directly identifying an individual. The data that Charles and Linda are classifying is an example of PII. PHI is personal health information. Intellectual property is the creation of human minds including copyrighted works, inventions, and other similar properties. PCI-DSS is the Payment Card Industry Data Security Standards.
Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system's performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail? Window shows CPU (Intel(R) Core™i7-3770K CPU at 350 gigahertz, graph shows percent utilization from 0 to 100 percent over 60 seconds with options for utilization, speed, processes, threads, handles, up time, maximum speed, sockets, cores, virtualization, et cetera. Resource Monitor Task Manager iperf Perfmon
A. Resource Manager provides average CPU utilization in addition to real-time CPU utilization. Since Kelly wants to see average usage over time, she is better off using Resource Manager instead of Task Manager (which meets all of her other requirements). Performance Monitor is useful for collecting performance data, and iperf is a network performance measurement tool.
Roger's SolarWinds monitoring system provides Windows memory utilization reporting. Use the chart shown here to determine what actions Roger should take based on his monitoring. Window shows memory capacity forecast chart where graph shows range from 23rd January to 17th April versus percent load from 0 percent to 50 percent, and table shows columns for resource, trend slope, warning, critical, and at capacity. The memory usage is stable and can be left as it is. The memory usage is high and must be addressed. Roger should enable automatic memory management. There is not enough information to make a decision.
A. Roger has memory usage monitoring enabled with thresholds shown at the bottom of the chart that will generate an alarm if it continues. The chart shows months of stable memory utilization with very little deviation. While a sudden increase could happen, this system appears to be functioning well. Memory usage is high, however, in a well-tuned system that does not have variable memory usage or sudden spikes. This is often an acceptable situation. Windows does not have an automated memory management tool that will curtail memory usage in this situation.
Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system? apt-get -u upgrade, /var/log/apt rpm -i upgrade, /var/log/rpm upgrade -l, /var/log/upgrades apt-get install -u; Ubuntu Linux does not provide a history of updates
A. The apt command is used to install and upgrade packages in Ubuntu Linux from the command line. The command apt-get -u upgrade will list needed upgrades and patches (and adding the -V flag will provide useful version information). The information about what patches were installed is retained in /var/log/apt, although log rotation may remove or compress older update information.
Christina is configuring her SolarWinds alerts for rogue devices and wants to select an appropriate reset condition for rogue MAC address alerts. Which of the options shown here is best suited to handling rogue devices if she wants to avoid creating additional work for her team? Window shows section for reset condition and options for reset this alert when trigger condition is no longer true, create special reset condition for this alert, et cetera. Reset when no longer true. Reset after a time period. No reset condition; trigger each time condition is met. No reset action; manually remove the alert from the active alerts list.
A. The simplest way to handle a configuration like this is to allow it to be reset when the condition is no longer true. If Christina adds the MAC address to her allowed devices list, this will automatically remove the alert. If she does not, the alert will remain for proper handling.
What type of forensic investigation-related form is shown here? Chain of custody Report of examination Forensic discovery log Policy custody release
A. This form is a sample chain of custody form. It includes information about the case, copies of drives that were created, and who was in possession of drives, devices, and copies during the investigation.
Chris wants to prevent evil twin attacks from working on his wireless network. Which of the following is not a useful method for detecting evil twins? Check for BSSID. Check the SSID. Check the attributes (channel, cipher, authentication method). Check for tagged parameters like the organizational unique identifier.
B. Checking the SSID won't help since an evil twin specifically clones the SSID of a legitimate AP. Evil twins can be identified by checking their BSSID (the wireless MAC address). If the wireless MAC has been cloned, checking additional attributes such as the channel, cipher, or authentication method can help identify them. In many cases, they can also be identified using the organizational unique identifier (OUI) that is sent as a tagged parameter in beacon frames.
After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan? Update system documentation. Conduct a lessons-learned session. Review patching status and vulnerability scans. Engage third-party consultants.
B. Conducting a lessons-learned review after using an incident response plan can help to identify improvements and to ensure that the plan is up-to-date and ready to handle new events.
Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called? Slacking Data carving Disk recovery Header manipulation
B. Data carving is the process of identifying files based on file signatures such as headers and footers and then pulling the information between those locations out as a file. Jessica can use common carving tools or could manually carve files if she knows common header and footer types that she can search for.
Degaussing is an example of what form of media sanitization? Clearing Purging Destruction It is not a form of media sanitization.
B. Degaussing, which uses a powerful electromagnet to remove data from tape media, is a form of purging.
Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network? Persistence of the beaconing Beacon protocol Beaconing interval Removal of known traffic
B. Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.
As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture? File creation dates Deleted files File permission data File metadata
B. When a network share or mounted drive is captured from the system that mounts it, data like deleted files, unallocated space, and other information that requires direct drive access will not be captured. If Scott needs that information, he will need to create a forensic image of the drive from the host server.
In his role as a forensic examiner, Lucas has been asked to produce forensic evidence related to a civil case. What is this process called? Criminal forensics E-discovery Cyber production Civil tort
B. When forensic evidence or information is produced for a civil case, it is called e-discovery. This type of discovery often involves massive amounts of data including email, files, text messages, and any other electronic evidence that is relevant to the case.
Fred wants to prevent buffer overflows from succeeding against his organization's web applications. What technique is best suited to preventing this type of attack from succeeding? User input canonicalization User input size checking Format string validation Buffer overwriting
B. While it may seem to be a simple answer, ensuring that all input is checked to make sure that it is not longer than the variable or buffer it will be placed into is an important part of protecting web applications. Canonicalization is useful against scripting attacks. Format string attacks occur when input is interpreted as a command by an application. Buffer overwriting typically occurs with a circular buffer as data is replaced and is not an attack or attack prevention method.
As Lauren studies her company's computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. What information would she record on that form if she was conducting a forensic investigation? The list of individuals who made contact with files leading to the investigation The list of former owners or operators of the PC involved in the investigation All individuals who work with evidence in the investigation The police officers who take possession of the evidence
C. A chain of custody form is used to record each person who works with or is in contact with evidence in an investigation. Typically, investigative work is also done in a way that fully records all actions taken and sometimes requires two people present to verify actions taken.
Lisa is following the CompTIA process for validation after a compromise. Which of the following actions should be included in this phase? Sanitization Re-imaging Setting permissions Secure disposal
C. CompTIA defines two phases: incident eradication and validation. Validation phase activities per CompTIA's split include patching, permissions, scanning, and verifying logging works properly.
Cynthia has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step? Resample to validate her testing. Destroy the drives. Documentation She is done and can send the drives on for disposition.
C. Documentation is important when tracking drives to ensure that all drives that should be sanitized are being received. Documentation can also provide evidence of proper handling for audits and internal reviews.
Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in? Single crack mode Wordlist mode Incremental mode External mode
C. Incremental mode is John the Ripper's most powerful mode, as it will try all possible character combinations as defined by the settings you enter at the start. Single crack mode tries to use login names with various modifications and is very useful for initial testing. Wordlist uses a dictionary file along with mangling rules to test for common passwords. External mode relies on functions that are custom-written to generate passwords. External mode can be useful if your organization has custom password policies that you want to tweak the tool to use.
While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports? Different patch levels during the scans They are scanning through a load balancer. There is a firewall between the remote network and the server. Scott or Joanna ran the vulnerability scan with different settings.
C. Local scans often provide more information than remote scans because of network or host firewalls that block access to services. The second most likely answer is that Scott or Joanna used different settings when they scanned.
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? An incident An event An adverse event A security incident
C. NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn't be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.
Frank wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization's CSIRT. Which of the following is not a commonly recommended best practice based on NIST's guidelines? Profile networks and systems to measure the characteristics of expected activity. Perform event correlation to combine information from multiple sources. Maintain backups of every system and device. Capture network traffic as soon as an incident is suspected.
C. NIST does not include making backups of every system and device in its documentation. Instead, NIST suggests maintaining an organization-wide knowledge base with critical information about systems and applications. Backing up every device and system can be prohibitively expensive. Backups are typically done only for specific systems and devices, with configuration and restoration data stored for the rest.
What is the primary role of management in the incident response process? Leading the CSIRT Acting as the primary interface with law enforcement Providing authority and resources Assessing impact on stakeholders
C. The primary role of management in an incident response effort is to provide the authority and resources required to respond appropriately to the incident. They may also be asked to make business decisions, communicate with external groups, or assess the impact on key stakeholders.
Lauren is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT? Her lead IT support staff technician Her organization's legal counsel A third-party IR team lead She should select herself.
D. A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. While Lauren may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third-party experts for incidents if she needs additional skills or expertise on her IR team.
Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all of the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded? Network flows SMB logs Browser cache Drive analysis
D. A forensic investigator's best option is to seize, image, and analyze the drive that Janet downloaded the files to. Since she only deleted the files, it is likely that the investigator will be able to recover most of the content of the files, allowing them to be identified. Network flows do not provide file information, SMB does not log file downloads, browser caches will typically not contain a list of all downloaded files, and incognito mode is specifically designed to not retain session and cache information.
While reviewing his OSSEC SIEM logs, Chris notices the following entries. What should his next action be if he wants to quickly identify the new user's creation date and time? Table shows examples for [OSSEC] New group added to system (5901, 5902). Check the user.log for a new user. Check syslog for a new user. Check /etc/passwd for a new user. Check auth.log for a new user.
D. Both auth.log and /etc/passwd may show evidence of the new user, but auth.log will provide details, while Chris would need to have knowledge of which users existed prior to this new user being added. Chris will get more useful detail by checking auth.log.
Forensic investigation shows that the target of the investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence? Clear Purge Destroy None of the above
D. The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST.
During a forensic investigation, Steve records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Steve is using as he labels evidence with details of who acquired and validated it? Direct evidence Circumstantial evidence Incident logging Chain of custody
D. The chain of custody for evidence is maintained by logging and labeling evidence. This ensures that the evidence is properly controlled and accessed.
During an incident response process Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing? Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity
C. Restoring a system to normal function, including removing it from isolation, is part of the containment, eradication, and recovery stage. This may seem to be part of the post-incident activity phase, but that phase includes activities such as reporting and process updates rather than system restoration.
While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here: C:\WINDOWS\system32>vssadmin list Shadowstorage vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Shadow Copy Storage association For volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}\ Shadow Copy Storage volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e6963}\ Used Shadow Copy Storage space: 25.6 GB (2%) Allocated Shadow Copy Storage space: 26.0 GB (2%) Maximum Shadow Copy Storage space: 89.4 GB (10%) What purpose does this storage serve, and can he safely delete it? It provides a block-level snapshot and can be safely deleted. It provides secure hidden storage and can be safely deleted. It provides secure hidden storage and cannot be safely deleted. It provides a block-level snapshot and cannot be safely deleted.
A. As long as Brian is comfortable relying on another backup mechanism, he can safely disable volume shadow copies and remove the related files. For the drive he is looking at, this will result in approximately 26GB of storage becoming available.
Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? Both /etc/passwd and /etc/shadow /etc/shadow /etc/passwd Chris cannot recover passwords; only hashes are stored.
A. Chris needs both /etc/passwd and /etc/shadow for John to crack the passwords. While only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in? SQLite Plain text Base64 encoded text NoSQL
A. Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details. Knowing how to write SQL queries or having access to a forensic tool that makes these databases easy to access can provide a rich trove of information about the web browsing history of a Chrome user.
Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following methods is not a possible means of unlocking the volume? Change the FileVault key using a trusted user account. Retrieve the key from memory while the volume is mounted. Acquire the recovery key. Extract the keys from iCloud.
A. FileVault does allow trusted accounts to unlock the drive but not by changing the key. FileVault 2 keys can be recovered from memory for mounted volumes and much like BitLocker, it suggests that users record their recovery key, so Jessica may want to ask the user or search their office or materials if possible. Finally, FileVault keys can be recovered from iCloud, providing her with a third way to get access to the drive.
John has designed his network as shown here and places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called? Diagram shows Internet leads to firewall which leads to DMZ (via firewall), high security (via firewall), users, and guests. Proactive network segmentation Isolation Quarantine Removal
A. John is not responding to an incident, so this is an example of proactive network segmentation. If he discovered a system that was causing issues, he might create a dedicated quarantine network or could isolate or remove the system.
If Danielle wants to purge a drive, which of the following options will accomplish her goal? Cryptographic erase Reformat Overwrite Repartition
A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions.
Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal? An authenticated vulnerability scan from a trusted internal network An unauthenticated vulnerability scan from a trusted internal network An authenticated scan from an untrusted external network An unauthenticated scan from an untrusted external network
A. Since Scott needs to know more about potential vulnerabilities, an authenticated scan from an internal network will provide him with the most information. He will not gain a real attacker's view, but in this case, having more detail is important!
Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need? Suspend the machine and copy the contents of the directory it resides in. Perform a live image of the machine. Suspend the machine and make a forensic copy of the drive it resides on. Turn the virtual machine off and make a forensic copy of it.
A. Suspending a virtual machine will result in the RAM and disk contents being stored to the directory where it resides. Simply copying that folder is then sufficient to provide Susan with all the information she needs. She should not turn the virtual machine off, and creating a forensic copy of the drive is not necessary (but she should still validate hashes for the copied files or directory).
Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred? file stat strings grep
A. The Linux file command shows a file's format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won't provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won't be as useful as the file command for this purpose.
Lauren wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems? The NX bit and ASLR StackAntismash and DEP Position-independent variables and ASLR DEP and the position-independent variables
A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR ensures that shared libraries are loaded at randomized locations, making it difficult for attackers to leverage known locations in memory via shared library attacks. DEP is a Windows tool for memory protection, and position-independent variables are a compiler-level protection that is used to secure programs when they are compiled.
Alex wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about? The registry The user profile directory The wireless adapter cache Wireless network lists are not stored after use.
A. The Windows registry stores a list of wireless networks the system has connected to in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is not a user-specific setting and is stored for all users in LocalMachine.
Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this? Set the "read-only" jumper on the drive. Use a write blocker. Use a read blocker. Use a forensic software package.
B. A hardware write blocker can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker.
Which of the following is not an important part of the incident response communication process? Limiting communication to trusted parties Disclosure based on public feedback Using a secure method of communication Preventing accidental release of incident-related information
B. Disclosure based on regulatory or legislative requirements is commonly part of an incident response process; however, public feedback is typically a guiding element of information release. Limiting communication to trusted parties and ensuring that data and communications about the incident are properly secured are both critical to the security of the incident response process. This also means that responders should work to limit the potential for accidental release of incident-related information.
During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation? A wiped C: drive Antiforensic activities All slack space cleared Temporary files and Internet history wiped
B. Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed on his organization's machines, Tim should expect that the individual being investigated has engaged in some antiforensic activities including wiping files that may have been downloaded or used against company policy. This doesn't mean he shouldn't continue his investigation, but he may want to look at Eraser's log for additional evidence of what was removed.
While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set. What issue is he most likely encountering? Window shows dialog box of select image destination with options for image destination folder, image filename, use AD encryption, et cetera. The files need to be compressed. The destination drive is formatted FAT32. The destination drive is formatted NTFS. The files are encrypted.
B. FTK Imager Light is shown configured to write a single large file that will fail on FAT32-formatted drives where the largest single file is 4GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!
The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information? A discovery scan using a port scanner. Router and switch-based MAC address reporting. A physical survey. Reviewing a central administration tool like SCCM.
B. If Kathleen's company uses a management system or inventory process to capture the MAC addresses of known organizationally owned systems, then a MAC address report from her routers and switches will show her devices that are connected that are not in inventory. She can then track down where the device is physically connected to the port on the router or switch to determine whether the device should be there.
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. Copy the virtual disk files and then use a memory capture tool. Escalate to management to get permission to suspend the system to allow a true forensic copy.
B. If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine
While working to restore systems to their original configuration after a long-term APT compromise, Charles has three options. He can restore from a backup and then update patches on the system. He can rebuild and patch the system using original installation media and application software using his organization's build documentation. He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems. Which option should Charles choose in this scenario? Option A Option B Option C None of the above. Charles should hire a third party to assess the systems before proceeding.
B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Charles has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.
Jennifer is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first? Authorized MAC Authorized SSID Authorized channel Authorized vendor
B. In most cases, the first detection type Jennifer should deploy is a rogue SSID detection capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She may still want to conduct scans of APs that are using channels they should not be, and of course her network should either use network access controls or scan for rogue MAC addresses to prevent direct connection of rogue APs and other devices.
James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system? Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark. Plug the system into an isolated switch and use a span port or tap and Wireshark to capture traffic. Review the ARP cache for outbound traffic. Review the Windows firewall log for traffic logs.
B. James can temporarily create an untrusted network segment and use a span port or tap to allow him to see traffic leaving the infected workstation. Using Wireshark, he can build a profile of the traffic it sends, helping him build a fingerprint of the beaconing behavior. Once he has this information, he can then use it in his recovery efforts to ensure that other systems are not similarly infected.
Joe is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker's efforts as they continue their attack. If Joe wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use? Removal Isolation Segmentation Detection
B. Joe can choose to isolate the compromised system, either physically or logically, leaving the attacker with access to the system while isolating it from other systems on his network. If he makes a mistake, he could leave his own systems vulnerable, but this will allow him to observe the attacker.
Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system? chbkup getfacl aclman There is not a common Linux permission backup tool.
B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a text file, and setfacl restores those permissions from the backup file. Both aclman and chbkup were made up for this question.
If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them? File size and file creation date MD5 hash Private key and cryptographic hash Public key and cryptographic hash
B. Lucca only needs a verifiable MD5 hash to validate the files under most circumstances. This will let him verify that the file he downloaded matches the hash of the file that the vendor believes they are providing. There have been a number of compromises of vendor systems, including open source projects that included distribution of malware that attackers inserted into the binaries or source code available for download, making this an important step when security is critical to an organization.
Fred needs to validate the MD5 checksum of a file on a Windows system but is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file? md5sum certutil sha1sum hashcheck
B. Modern versions of Windows include the built-in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows.
NIST describes four major phases in the incident response cycle. Which of the following is not one of the four? Containment, eradication, and recovery Notification and communication Detection and analysis Preparation
B. NIST identifies four major phases in the IR life cycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. Notification and communication may occur in multiple phases.
Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this? To ensure chain of custody To ensure correct re-assembly To allow for easier documentation of acquisition To tamper-proof the system
B. Re-assembling the system to match its original configuration can be important in forensic investigations. Color-coding each cable and port as a system is disassembled before moving helps to ensure proper re-assembly. Mika should also have photos taken by the on-site investigators to match her re-assembly work to the on-site configuration.
While reviewing her Nagios logs, Selah discovers the error message shown here. What should she do about this error? Diagram shows boxes labeled demo.sample.com, Apache 404 errors, critical, 1 day 6 hours 2 minutes 11 seconds, and 1/1. Check for evidence of a port scan. Review the Apache error log. Reboot the server to restore the service. Restart the Apache service.
B. Selah should check the error log to determine what web page or file access resulted in 404 "not found" errors. The errors may indicate that a page is mislinked, but it may also indicate a scan occurring against her web server.
The Stuxnet attack relied on engineers who transported malware with them, crossing the air gap between networks. What type of threat is most likely to cross an air-gapped network? Email Web Removable media Attrition
C. An air gap is a design model that removes connections between network segments or other systems. The only way to cross an air gap is to carry devices or data between systems or networks, making removable media the threat vector here.
Jennifer's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model? Regular Supplemented Extended Not recoverable
B. The NIST recoverability effort categories call a scenario in which time to recovery is predictable with additional resources "supplemented." The key to the NIST levels is to remember that each level of additional unknowns and resources required increases the severity level from regular to supplemented and then to extended. A nonrecoverable situation exists when the event cannot be remediated, such as when data is exposed. At that point, an investigation is launched. In a nongovernment agency, this phase might involve escalating to law enforcement.
Charles needs to review the permissions set on a directory structure on a Window system he is investigating. Which Sysinternals tool will provide him with this functionality? DiskView AccessEnum du AccessChk
B. The Sysinternals suite provides two tools for checking access, AccessEnum and AccessChk. AccessEnum is a GUI-based program that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent. AccessChk is a command-line program that can check the rights a user or group has to resources.
Rick wants to monitor permissions and ownership changes of critical files on the Red Hat Linux system he is responsible for. What Linux tool can he use to do this? watchdog auditctl dirwatch monitord
B. The audit package can provide this functionality. auditd runs as a service, and then auditctl is used to specifically call out the files or directories that will be monitored.
NIST defines five major types of threat information types in NIST SP 800-150, "Guide to Cyber Threat Information Sharing." Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred Tactics, techniques, and procedures that describe the behavior of an actor Security alerts like advisories and bulletins Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used Tool configurations that support collection, exchange, analysis, and use of threat information Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats? 1, 2, and 5 1, 3, and 5 2, 4, and 5 1, 2, and 4
B. The more effort Frank puts into staying up-to-date with information by collecting threat information (5), monitoring for indicators (1), and staying up-to-date on security alerts (3), the stronger his organization's security will be. Understanding specific threat actors may become relevant if they specifically target organizations like Frank's, but as a midsize organization Frank's employer is less likely to be specifically targeted directly.
During her forensic analysis of a Windows system, Cynthia accesses the registry and checks \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin. What domain was the system connected to, and what was the username that would appear at login? Table shows columns for name (background, CachedLogonsCount, DefaultUserName, DisableCAD, type (REG_SZ, REG_DWORD), and data (explorer.exe). Admin, administrator No domain, admin Legal, admin Corporate, no default username
B. This system is not connected to a domain (default domain name has no value), and the default user is admin.
As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them? Segmentation Patching Using threat intelligence Whitelisting
B. While patching is useful, it won't stop zero-day threats. If Allan is building a plan specifically to deal with zero-day threats, he should focus on designing his network and systems to limit the possibility and impact of an unknown vulnerability. That includes using threat intelligence, using segmentation, using whitelisting applications, implementing only necessary firewall rules, using behavior and baseline-based intrusion prevention rules and SIEM alerts, and building a plan in advance!
As part of his organization's cooperation in a large criminal case, Adam's forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam's team take prior to sending a drive containing the forensic image? Encode in EO1 format and provide a hash of the original file on the drive. Encode in FTK format and provide a hash of the new file on the drive. Encrypt the RAW file and transfer a hash and key under separate cover. Decrypt the RAW file and transfer a hash under separate cover.
C. A general best practice when dealing with highly sensitive systems is to encrypt copies of the drives before they are sent to third parties. Adam should encrypt the drive image and provide both the hash of the image and the decryption key under separate cover (sent via a separate mechanism) to ensure that losing the drive itself does not expose the data. Once the image is in the third-party examiner's hands, they will be responsible for its security. Adam may want to check on what their agreement says about security!
Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device? Antivirus definitions File reputation IP reputation Static file analysis
C. Angela's best choice would be to implement IP reputation to monitor for connections to known bad hosts. Antivirus definitions, file reputation, and static file analysis are all useful for detecting malware, but command-and-control traffic like beaconing will typically not match definitions, won't send known files, and won't expose files for analysis.
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs? Power them down, take pictures of how each is connected, and log each system in as evidence. Take photos of each system, power them down, and attach a tamper-evident seal to each PC. Collect live forensic information, take photos of each system, and power them down. Collect a static drive image, validate the hash of the image, and securely transport each system.
C. Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images on-site. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first!
While reviewing his network for rogue devices, Dan notes that a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building for three days. What information can this provide Dan that may be helpful if he conducts a physical survey of the office? The operating system of the device The user of the system The vendor who built the system The type of device that is connected
C. Dan can look up the manufacturer prefix that makes up the first part of the MAC address. In this case, Dan will discover that the system is likely a Dell, potentially making it easier for him to find the machine in the office. Network management and monitoring tools like SolarWinds build in this identification capability, making it easier to see if unexpected devices show up on the network. Of course, if the local switch is a managed switch, he can also query it to determine what port the device is plugged into and follow the network cable to it!
Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in? Post-incident activity Detection and analysis Preparation Containment, eradication, and recovery
C. Dan's efforts are part of the preparation phase, which involves activities intended to limit the damage an attacker could cause.
Near the end of a typical business day, Danielle is notified that her organization's email servers have been blacklisted because of email that appears to originate from her domain. What information does she need to start investigating the source of the spam emails? Firewall logs showing SMTP connections The SMTP audit log from her email server The full headers of one of the spam messages Network flows for her network
C. Danielle's best bet to track down the original source of the emails that are being sent is to acquire full headers from the spam email. This will allow her to determine whether the email is originating from a system on her network or whether the source of the email is being spoofed. Once she has headers or if she cannot acquire them, she may want to check one or more of the other options on this list for potential issues.
The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criteria is most likely to be impacted the most by this action? Damage to the system or service Service availability Ability to preserve evidence Time and resources needed to implement the strategy
C. If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process. Since she is focusing on quick restoration, the service should be available more quickly, and the service and system should not be damaged in any significant way by the restoration process. The time required to implement the strategy will typically be less if she does not conduct a full forensic investigation and instead focuses on service restoration.
Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently? Check the System log. Check the user profile creation date. Check the Security log. Query the registry for the user ID creation date.
C. If the Security log has not rotated, Angela should be able to find the account creation under event ID 4720. The System log does not contain user creation events, and user profile information doesn't exist until the user's first login. The registry is also not a reliable source of account creation date information.
As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness? Attrition Impersonation Improper usage Web
C. Improper usage, which results from violations of an organization's acceptable use policies by authorized users, can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute-force methods of attacking services. Impersonation attacks include spoofing, man-in-the-middle attacks, and similar threats. Finally, web-based attacks focus on websites or web applications. Awareness may help with some specific web-based attacks like fake login sites, but many others would not be limited by Lauren's awareness efforts.
Luke needs to verify settings on a macOS computer to ensure that the configuration items he expects are set properly. What type of file is commonly used to store configuration settings for macOS systems? The registry .profile files Plists .config files
C. Luke should expect to find most of the settings he is looking for contained in plists, or property lists, which are XML files encoded in a binary format.
Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera? RAW FAT16 FAT32 HFS+
C. Most portable consumer devices, especially those that generate large files, format their storage as FAT32. FAT16 is limited to 2GB partitions, RAW is a photo file format, and HFS+ is the native macOS file format. Lauren can expect most devices to format media as FAT32 by default because of its broad compatibility across devices and operating systems.
The organization that Alex works for classifies security related events using NIST's standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business traveler's laptop? An event An adverse event A security incident A policy violation
C. NIST describes events like this as security incidents because they are a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.
Frank wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective? Purge, clear, destroy Eliminate, eradicate, destroy Clear, purge, destroy Eradicate, eliminate, destroy
C. NIST identifies three activities for media sanitization: clearing, which uses logical techniques to sanitize data in all user-addressable storage locations; purging, which applies physical or logical techniques to render data recovery infeasible using state-of-the-art laboratory techniques; and destruction, which involves physically destroying the media.
Jessica wants to track the changes made to the registry and filesystem while running a suspect executable on a Windows system. Which Sysinternals tool will allow her to do this? App Monitor Resource Tracker Process Monitor There is not a Sysinternals tool with this capability.
C. Process Monitor provides detailed tracking of filesystem and registry changes as well as other details that can be useful when determining what changes an application makes to a system. This is often used by system administrators as well as forensic and incident response professionals, as it can help make tracking down intricate installer problems much easier!
Alex needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process? Clear, validate, and document. Purge the drives. Purge, validate, and document. The drives must be destroyed to ensure no data loss.
C. Since the drives are being returned at the end of a lease, you must assume that the contract does not allow them to be destroyed. This means that purging the drives, validating that the drives have been purged, and documenting the process to ensure that all drives are included are the appropriate actions. Clearing the drives leaves the possibility of data recovery, while purging, as defined by NIST SP 800-88, renders data recovery infeasible.
Where is slack space found in the following Windows partition map? Window shows markings for disk 0 and boxes labeled system reserved, (C:), and 449 megabytes unallocated. The System Reserved partition The System Reserved and Unallocated partitions The System Reserved and C: partitions The C: and unallocated partitions
C. Slack space is leftover storage that exists because files do not take up the entire space allocated for them. Since the Unallocated partition does not have a filesystem on it, space there should not be considered slack space. Both System Reserved and C: are formatted with NTFS and will have slack space between files.
Jeff discovers multiple .jpg photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact? GPS location Camera type Number of copies made Correct date/timestamp
C. The amount of metadata included in photos varies based on the device used to take them, but GPS location, GPS timestamp-based time (and thus correct, rather than device native), and camera type can all potentially be found. Image files do not track how many times they have been copied!
Selah is preparing to collect a forensic image for a Macintosh computer. What hard drive format is she most likely to encounter? FAT32 MacFAT HFS+ NTFS
C. The default macOS drive format is HFS+ and is the native macOS drive format. By default, it uses 512-byte logical blocks (sectors) and up to 4,294,967,296 allocation blocks. macOS does support FAT32 and can read NTFS but cannot write to NTFS drives without additional software. MacFAT was made up for this problem.
While checking for bandwidth consumption issues, Alex uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4Gb of data, but his network flow logs show that the system has sent over 20Gb. What problem has Alex encountered? A rootkit is concealing traffic from the Linux kernel. Flow logs show traffic that does not reach the system. ifconfig resets traffic counters at 4Gb. ifconfig only samples outbound traffic and will not provide accurate information.
C. The traffic values captured by ifconfig reset at 4Gb of data, making it an unreliable means of assessing how much traffic a system has sent when dealing with large volumes of traffic. Alex should use an alternate tool designed specifically to monitor traffic levels to assess the system's bandwidth usage.
Fred is attempting to determine whether a user account is accessing other systems on his network and uses lsof to determine what files the user account has open. What information should he identify when faced with the following lsof output? Table shows columns for COMMAND (bash, ssh), PID, USER (demo), FD, TYPE (DIR, IPv4, mem, txt), DEVICE, SIZE/OFF, NODE, and NAME. The user account demo is connected from remote.host.com to a local system. The user demo has replaced the /bash executable with one they control. The user demo has an outbound connection to remote.host.com. The user demo has an inbound ssh connection and has replaced the bash binary
C. The output of lsof shows a connection from the local host (10.0.2.6) to remote .host.com via ssh. The listing for /bin/bash simply means that demo is using the bash shell. Fred hasn't found evidence of demo accessing other systems on his local network but might find the outbound ssh connection interesting.
Susan discovers the following log entries that occurred within seconds of each other in her Squert (a Sguil web interface) console. What have her network sensors most likely detected? Table shows examples such as ET POLICY suspicious inbound to Oracle SQL port 1521, ET SCAN potential VNC scan 5800-5820, et cetera. A failed database connection from a server A denial-of-service attack A port scan A misconfigured log source
C. The series of connection attempts shown is most likely associated with a port scan. A series of failed connections to various services within a few seconds (or even minutes) is common for a port scan attempt. A denial-of-service attack will typically be focused on a single service, while an application that cannot connect will only be configured to point at one database service, not many. A misconfigured log source either would send the wrong log information or would not send logs at all in most cases.
Adam wants to quickly crack passwords from a Windows 7 system. Which of the following tools will provide the fastest results in most circumstances? John the Ripper Cain and Abel Ophcrack Hashcat
C. Under most circumstances Ophcrack's rainbow table-based cracking will result in the fastest hash cracking. Hashcat's high-speed, GPU-driven cracking techniques are likely to come in second, with John the Ripper and Cain and Abel's traditional CPU-driven cracking methods remaining slower unless their mutation-based password cracks discover simple passwords very quickly.
Which of the following mobile device forensic techniques is not a valid method of isolation during forensic examination? Use a forensic SIM. Buy and use a forensic isolation appliance. Place the device in an antistatic bag. Put the device in airplane mode.
C. Using a forensic SIM (which provides some but not all of the files necessary for the phone to work); using a dedicated forensic isolation appliance that blocks Wi-Fi, cellular, and Bluetooth signals; or even simply putting a device into airplane mode are all valid mobile forensic techniques for device isolation. While manipulating the device to put it into airplane mode may seem strange to traditional forensic examiners, this is a useful technique that can be documented as part of the forensic exercise if allowed by the forensic protocols your organization follows.
While investigating a system error, Lauren runs the df command on a Linux box that she is the administrator for. What problem and likely cause should she identify based on this listing? # df -h /var/ Filesystem Size Used Avail Use% Mounted on /dev/sda1 40G 11.2G 28.8 28% / /dev/sda2 3.9G 3.9G 0 100% /var The var partition is full and needs to be wiped. Slack space has filled up and needs to be purged. The var partition is full, and logs should be checked. The system is operating normally and will fix the problem after a reboot.
C. When /var fills up, it is typically due to log files filling up all available space. The /var partition should be reviewed for log files that have grown to extreme size or that are not properly set to rotate.
Adam needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what time frame should he select? 30 days 90 days 1 to 2 years 7 years
C. Without other requirements in place, many organizations select a one- to two-year retention period. This allows enough time to use existing information for investigations but does not retain so much data that it cannot be managed. Regardless of the time period selected, organizations should set and consistently follow a retention policy.
Alex is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the "outside" interface of her border router. What can Alex presume has occurred? Graph shows live-graph - 60 minutes - 15 seconds interval on time from 08:50 to 09:40 versus range in megabit per second from 0 to 400. The network link has failed. A DDoS is in progress. An internal system is transferring a large volume of data. The network link has been restored.
D. A sudden resumption of traffic headed "in" after sitting at zero likely indicates a network link or route has been repaired. A link failure would show a drop to zero, rather than an increase. The complete lack of inbound traffic prior to the resumption at 9:30 makes it unlikely this is a DDoS, and the internal systems are not sending significant traffic outbound.
After law enforcement was called because of potential criminal activity discovered as part of a forensic investigation, the officers on the scene seized three servers. When can Joe expect his servers to be returned? After 30 days, which provides enough time for a reasonable imaging process. After 6 months, as required by law. After 1 year, as most cases resolve in that amount of time. Joe should not plan on a time frame for return.
D. Criminal investigations can take very long periods of time to resolve. In most cases, Joe should ensure that he can continue to operate without the servers for the foreseeable future.
Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes? Success Fail Full control All
D. Lauren will get the most information by setting auditing to All but may receive a very large number of events if she audits commonly used folders. Auditing only success or failure would not show all actions, and full control is a permission, not an audit setting.
During an incident response process, Cynthia conducts a lessons-learned review. What phase of the incident response process is she in? Preparation Detection and analysis Containment, eradication, and recovery Post-incident recovery
D. Lessons-learned reviews are typically conducted by independent facilitators who ask questions like "What happened, and at what time?" and "What information was needed, and when?" Lessons-learned reviews are conducted as part of the post-incident activity stage of incident response and provide an opportunity for organizations to improve their incident response process.
In order, which set of Linux permissions are least permissive to most permissive? 777, 444, 111 544, 444, 545 711, 717, 117 111, 734, 747
D. Linux permissions are read numerically as "owner, group, other." The numbers stand for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only, a 5 means read and execute, without write, and so on. 777 provides the broadest set of permissions, and 000 provides the least.
When Charles arrived at work this morning, he found an email in his inbox that read, "Your systems are weak; we will own your network by the end of the week." How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs? An indicator A threat A risk A precursor
D. NIST SP 800-61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Charles needs to figure out how he will monitor for a potential attack!
In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. While his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents? Outsource to a third-party SOC. Create an internal SOC. Hire an internal incident response team. Outsource to an incident response provider.
D. Outsourcing to a third-party incident response provider allows Mike to bring in experts when an incident occurs while avoiding the day-to-day expense of hiring a full-time staff member. This can make a lot of financial sense if incidents occur rarely, and even large organizations bring in third-party response providers when large incidents occur. A security operations center (SOC) would be appropriate if Mike needed day-to-day security monitoring and operations, and hiring an internal team does not match Mike's funding model limitations in this scenario.
Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool? Text messaging A Jabber server with TLS enabled Email with TLS enabled A messaging application that uses the Signal protocol
D. The Signal protocol is designed for secure end-to-end messaging, and using a distinct messaging tool for incident response can be helpful to ensure that staff separate incident communication from day-to-day operations. Text messaging is not secure. Email with TLS enabled is encrypted only between the workstation and email server and may be exposed in plain text at rest and between other servers. A Jabber server with TLS may be a reasonable solution but is less secure than a Signal-based application.
Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives the following error. What access method is required to access the page file? Window shows file in use with texts which read action can't be completed because file is open in another program and close file and try again with buttons for try again and cancel. Run Windows Explorer as an administrator and repeat the copy. Open the file using fmem. Run cmd.exe as an administrator and repeat the copy. Shut the system down, remove the drive, and copy it from another system.
D. The page file, like many system files, is locked while Windows is running. Charles simply needs to shut down the system and copy the page file. Some Windows systems may be set to purge the page file when the system is shut down, so he may need to pull the plug to get an intact page file.
Frank wants to log the creation of user accounts on a Windows 7 workstation. What tool should he use to enable this logging? secpol.msc auditpol.msc regedit Frank does not need to make a change; this is a default setting.
D. Windows audits account creation by default. Frank can search for account creation events under event ID 4720 for modern Windows operating systems.
After Janet's attempts to conceal her downloads of important corporate information were discovered, forensic investigators learned that she frequently copied work files to a USB drive. Which of the following is not a possible way to manually check her Windows workstation for a list of previously connected USB drives? Check the security audit logs. Check the setupapi log file. Search the registry. Check the user's profile.
D. Windows systems record new device connections in the security audit log if configured to do so. In addition, information is collected in both the setupapi log file and in the registry, including information on the device, its serial number, and often manufacturer and model details. The user's profile does not include device information.