DFIR

¡Supera tus tareas y exámenes ahora con Quizwiz!

This Digital Forensic Step: _____?_______ of relevant data to further an investigation or arrive at conclusions that can be translated into security-related actions within an organization is?

Analysis

This is a forensics technique that involves reassembling files from pieces of raw data, when no file system metadata is available?

Data Carving

This Event Viewer Classification is Generated by applications for troubleshooting purposes?

Debug

Determining if an incident occurred, and what type of incident it was.

Detection and analysis

Hackers can encrypt static data to avoid detection. This type of obfuscation is called?

Encryption

Name the Data Carving tool that is not a carving software, it is commonly used to view raw data. It is a hex editor that can edit a raw disk of any size, and modify RAM. It has an easy-to-use UI with many helpful features, such as search and replace, checksums, digests, insertion of byte patterns, and more

HxD

This Event Viewer Classification is Generated during a benign operation, with records of normal and expected behavior.

Informational

What action would you take for Incident Response Containment?

Isolate network segments, shut down compromised servers,

When Analyzing the file's access to registry entries the analyst is looking for?

Registry Changes

Hackers can hide information in network traffic. This type of obfuscation is called?

Tunneling

What is an automatic and pre-built in the Kali Linux distribution. All that is needed is to choose which action to perform on the specified executable.

UPX

What is an open-source collection of Python-based tools that support both Linux and Windows. It has an option to read different types of memory dumps and filter them according to different parameters. Extensions can be added to gather even more information about the processes.

Volatility Framework

This Event Viewer Classification is Generated when something is missing or required by an application or system.

Warning

This capture tool is A CLI-based Linux tool that can be used to clone entire drives and partitions.

dd

This CPU Architecture types for x86 is a competitor of Intel CPUs. In the past, there were compatibility issues with operating systems and programs based on this type of architecture.

AMD

This CPU Architecture types for x86 is mainly used in mobile and low power devices. It includes approximately 5000 different commands.

ARM

This capture tool is a commercial tool used for backups and restorations, but is not typically used for forensics.

Acronis

This Event Viewer Classification is an Actionable warning or error message that require someone's attention.

Alert

Network Activity is defined as?

Analyzing the system's network activity

The Technique when Common DLLs that run in every process can be infected?

AppCert DLL

This technique that the MBR can be manipulated to load malware upon restart?

Bootkit

Name the Data Carving tool that attempts to rebuild and recover files without using a specific file system structure. Is distinguished from other forensic tools by its speed and thoroughness. Because it ignores the file system structure, the tool can process different parts of a disk in parallel.

Bulk Extractor

John was tasked to investigate a network attack in accordance with the network forensics investigation flow process. What should be John's first step?

Check for malware signatures

This capture tool is A Linux distribution for drive cloning and imaging.

Clonezilla

This Digital Forensic Step: _____?_______ of data in a professional and timely manner and organizing and categorizing the data to efficiently manage it is called?

Collection

In Wireshark, filters are powerful tools that can be used to narrow searches for a specific goal. For example, if you are looking only for outbound HTTP traffic, you could use the following: src host x.x.x.x & http (where x.x.x.x is your IP address) Name the Wireshark Feature?

Display Filter Expressions

This Event Viewer Classification is Generated when a mistake occurs in the OS or other system software

Error

This Digital Forensic Step: _____?_______ of data by forensic analysts working with the appropriate tools to determine which information is relevant to the scope of an investigation is called?

Examination

Depending on the location of the capture, Wireshark can provide a tool to transfer some objects such as files over the network. What Wireshark feature is available to do this?

Export

This capture tool is an FTK Toolkit tool used to capture data.

FTK Imager

What happens when a file is deleted what conditions is recoverable. The process of obtaining deleted files and metadata in data streams is referred to as?

File Carving

When Malware makes changes inside the OS file system this is called?

File system changes

What is a fast imaging and advanced forensic tool. Secures sensitive data with AES 256-bit encryption, and is to for drive captures and clones?

Logicube Falcon

This CPU Architecture types for x86 is used in low power devices, such as IoT. Many router exploits contain payloads based on this type of architecture.

MIPS

What is the roles of an organizations SOC manager?

Manages the daily operation of the center, and reports to the senior security leader (CISO)

This CPU Architecture types for x86 is a new architecture for Intel CPUs.It has two main designs: NASM X86 for 32-bit, and NASM X64 for 64-bit

NASM

John opened an executable file and noticed unusual activity, such as files that opened on their own. For further investigation, he wanted to check if any new network connections were established. Which of the following tools can check network connections?

Netstat

What is the main intent of a Sandbox and what is it solving?

Online sandboxes are automated dynamic analysis platforms that do not require installation. Investigate Malware.

What Packing technique used to hide malware and make it harder to detect and analyze?

PEiD

Name the Data Carving tool that is a powerful free, open-source, and multi-platform carving tool that focuses on rebuilding and recovering media files.

PhotoRec

Actions performed after an incident, including collecting data left behind by an intrusion (artifacts), preserving the data for future use as evidence, and studying what can be learned from the incident to improve Cybersecurity against future events. Is all part of?

Post incident activities

This initial step of the process is where each member of the incident response team reviews the role they will play during an incident

Preparation and planning

Regedit is a utility that can be used to hide and launch programs activated automatically by RunOnce (run and delete) keys. This type of Persistence technique is called?

Registry Keys

What is an advanced forensics and incident response framework, developed by Google. It leverages exact debugging information provided by operating system vendors to precisely locate significant kernel data structures.

Rekall

This Digital Forensic Step: _____?_______ is an essential step in any cyber forensics process and must address the target audience. If it will be used in a court of law, it will require information that may constitute "evidence". is called

Reporting

What is the roles of an organizations CISO?

Responsible for the overall security program, which ranges from cyber risk management to vulnerability management, to any other security-related function associated with incident response.

After you enter a website, a pop-up appears saying your computer files were infected, and offering to fix the problem for a small fee. Which of the following attacks did you encounter?

Scareware

A task can be set to run a malicious payload upon system boot. This type of Persistence technique is called?

Scheduled task

Malware can register a ______?______with a binary path that points to a malicious executable program on the disk.

Service

When a malicious party impersonates another device or user on a network to launch attacks against network hosts, steal data, spread malware, or bypass access controls. This type of obfuscation is called?

Spoofing

Malware can persist through this folder, whereby all executable files in the folder will be run upon powering on the system.

Startup

Hackers can hide crucial information in existing files. This type of obfuscation is called?

Stegnography

Wireshark enables data _____?______ instead of packet-by-packet inspection. By inspecting an entire stream you can obtain more information about network activity. Name the Wireshark Feature?

Stream Inspection

This CPU Architecture types for x86, the legacy architecture for Intel CPUs. It is a 16-bit architecture, and to use it, an emulator (known as a Turbo emulator) is required.

TASM

Containment, eradication, and recovery steps in the NIST is defined as?

Taking action to mitigate the incident.

This is a common tool used for network capture and investigation. It is installed by default on most servers and network equipment and can be run via CLI.

Tcpdump


Conjuntos de estudio relacionados

Health Assessment Exam 1 Study Guide

View Set

NUR 356 Exam 3 Practice Questions

View Set

Chapter 22- Electrostatics (Homework)

View Set

Ch4: Human Digestion and Absorption

View Set

Biologie pour psychologue 2020-2021

View Set