Security+ 4b / Incident Response and Computer Forensic

What is the highest level of normalization that you can achieve with a database? 6NF - Sixth Normal Form 1NF - First Normal Form 5NF - Fifth Normal Form 4NF - Fourth Normal Form

6NF - Sixth Normal Form

How can a forensic analyst benefit from analyzing metadata? (Choose three.) A. JPEG metadata can reveal specific camera settings. B. Microsoft Word metadata can reveal the author name. C. Microsoft Excel metadata can reveal your MAC address. D. PDF metadata can reveal the registered company name.

A. JPEG metadata can reveal specific camera settings. B. Microsoft Word metadata can reveal the author name. D. PDF metadata can reveal the registered company name.

What must be determined by the first responder to an incident? A. The severity of the event B. Which other personnel must be called in C. The dollar amount associated with the incident D. Who is at fault

A. The severity of the event

What can be used to ensure that seized mobile wireless devices do not communicate with other devices? A. SIM card B. Faraday bag C. Antistatic bag D. GPS jammer

B. Faraday bag

Which of the following best describes chain of custody? A. Delegating evidence collection to your superior B. Preserving, protecting, and documenting evidence C. Capturing a system image to another disk D. Capturing memory contents before hard disk contents

B. Preserving, protecting, and documenting evidence

While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which of the following should you consider? (Choose two.) A. Was the message encrypted? B. Was the message digitally signed? C. Are user public keys properly protected? D. Are user private keys properly protected?

B. Was the message digitally signed? D. Are user private keys properly protected? --- B and D. Digitally signing an e-mail message requires a user's unique private key to which only he has access, which means he had to have sent the message and cannot dispute this fact (nonrepudiation). One factor used to arrive at this conclusion is how well protected user private keys are. If user private keys are simply stored on a hard disk without a password, anybody could have digitally signed the message, in which case user interviews and video surveillance may be used to place a user at a device where he may have access to a private key. A and C are incorrect. Encryption is separate from verifying message sender authenticity; it scrambles data to ensure confidentiality. Public keys need not be protected; that is why they are called public keys. Their mathematically related counterpart (private keys) must be safeguarded, however.

Which of the following rules must be followed when performing forensic analysis? (Choose two.) A. Work only with the original, authentic data. B. Work only with a copy of data. C. Seek legal permission to conduct an analysis. D. Seek your manager's permission to conduct an analysis.

B. Work only with a copy of data. C. Seek legal permission to conduct an analysis.

What type of evidence would be the most difficult for a perpetrator to forge? A. IP address B. MAC address C. Cell phone SIM card D. Documents on a USB flash drive

C. Cell phone SIM card

What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk? A. Write a Visual Basic script that deletes files older than 30 days. B. Delete files thought to be operating system files. C. Ensure that the original disk is pristine and use a hash table on a copy of the files. D. Modify file metadata on the original disk to label files.

C. Ensure that the original disk is pristine and use a hash table on a copy of the files. --- C. A hash table calculates file hashes for each file. Known standard operating system file hashes can be compared to your file hashes to quickly exclude known authentic operating system files that have not been modified.

You are preparing to gather evidence from a cell phone. Which of the following is false? A. CDMA mobile devices do not use SIM cards. B. CDMA phones store user data directly on the mobile device. C. GSM mobile devices do not use SIM cards. D. GSM mobile devices use SIM cards.

C. GSM mobile devices do not use SIM cards. --- C. Global System for Mobile (GSM) communication devices use SIM cards. This means you could purchase a new GSM mobile device and simply insert your SIM card without having to contact your mobile wireless service provider. A, B, and D are incorrect. Code-division multiple access (CDMA) and GSM devices use SIM cards and can store user data on the mobile device.

The IT director is creating the following year's budget. You are asked to submit forensics dollar figures for your Cloud Security Incident Response Team (CSIRT). Which item should you not submit? A. Travel expenses B. Man-hour expenses C. Training expenses D. ALE amounts

D. ALE amounts --- D. Annual loss expectancy (ALE) is used to calculate the probability of asset failure over a year. It is used when performing a risk assessment and doesn't relate to a forensics budget.

A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what? A. Plaintiff B. Defendant C. Auditor D. Forensic expert witness

D. Forensic expert witness

Which SOAR component is used to automate IT-related security incident response? A. Playbook B. Legal hold C. E-discovery D. Runbook

D. Runbook

You must analyze data on a digital camera's internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure that you do not modify data on the camera? A. Ensure that the camera is turned off. B. Flag all files on the camera as read-only. C. Log in with a non-administrative account on the forensic computer. D. Use a USB write-blocking device

D. Use a USB write-blocking device

In which type of software environment are you most likely to find Microsoft Visual Studio and Eclipse? Staging Development Production Test

Development

If you are using hidden fields to capture the state information, which type of attack can occur? Hijack session Cross-site scripting Cookie tampering Injection

Hijack session

Which of the following is a firmware driver used by Unified Extensible Firmware Interface (UEFI)? Option ROMs Bootloader Volatile ROM Static ROM

Option ROMs

Which of the following replaces a string of data with unique identification symbols or numbers? Randomization Hashing Salting Tokenization

Tokenization

Which of the following statements is true for the scalability of a system? It is the same as elasticity and the two terms can be used interchangeably You can add more resources to the system to gain optimal application performance When workload increases, additional resources for the application are provided in an automated fashion Scalability is a popular phenomenon in the cloud environment

You can add more resources to the system to gain optimal application performance

Which of the following items can enforce the RTO for a failed server? A. Disaster recovery plan B. Communication plan C. Stakeholder management D. COOP

A. Disaster recovery plan --- A. A disaster recovery plan (DRP) outlines the steps to be taken to recover from a disruptive incident. A server DRP can enforce the recovery time objective (RTO) for a given server, which specifies the maximum tolerable amount of downtime. Period DRP drills should be conducted as a proof of concept (PoC) activity to ensure the efficacy of the DRP. B, C, and D are incorrect. A communication plan can be included as part of an incident response plan (IRP), which can specify incident contact information such as that for managers, escalation to other parties, legal, public relations, and so on. With IT security and business continuity, managing stakeholder expectations can influence where the focus of time and resources for cybersecurity lies. COOP, similar to a BCP, is the preparation for dealing with disruptions to a process, specifically a business process with the BCP, to minimize the impact of that disruption. COOP focuses more on public and government agency preparedness.

You have a version control system installed. Several developers work with this system. A new developer wants to work on the code. What is the first task that the developer must perform? Check in the code Check out the existing code Copy the code from the developers' system Send an approval request to get the code

Check out the existing code

Which of the following loop runs until a statement becomes true? If...else loop Until loop While loop Do loop

Until loop

Malware can be delivered using which of the following methods? [Choose all that apply] Website Through user E-mail attachments USB

Website E-mail attachments USB

At 9:30 a.m., users report that network performance has been severely degraded since the workday began at 8 a.m. After network analysis and a quick discussion with your IT security team, you conclude that a worm virus has infected your network. What should you do to contain the damage? (Choose two.) A. Determine the severity of the security breach. B. Unplug SAN devices. C. Shut down all servers. D. Shut down Ethernet switches.

A. Determine the severity of the security breach. D. Shut down Ethernet switches. --- A and D. Once the severity of the issue has been determined, the quickest way to control the spread of a worm virus is to eliminate network connectivity. B and C are incorrect. Unplugging storage area network (SAN) devices may protect data on SAN disks from infected servers, but the worm could still spread to other devices. To eradicate a malware outbreak properly, it may be necessary to unplug a wired device from a network switch to contain or isolate the malware. Containment, including quarantining infected devices, eradication, and system recovery tasks, should be executed by incident response team members in accordance with an incident response plan (IRP). Shutting down all servers takes longer than simply powering down network switches.

A network intrusion detection device captures network traffic during the commission of a crime on a network. You notice NTP and TCP packets from all network hosts in the capture. You must find a way to correlate captured packets to a date and time to ensure the packet captures will be considered admissible as evidence. What should you do? (Choose two.) A. Nothing. NTP keeps time in sync on a network. B. Nothing. Packet captures are time stamped. C. Without digital signatures, date and time cannot be authenticated. D. Without encryption, date and time cannot be authenticated.

A. Nothing. NTP keeps time in sync on a network. B. Nothing. Packet captures are time stamped. --- A and B. Network Time Protocol (NTP) keeps computers synchronized to a reliable time source. Captured network traffic is time stamped and includes offset time stamps from when the capture was started. C and D are incorrect. Digital signatures ensure the authenticity of the message as well as the sender, but their time stamps are not guaranteed. Encryption secures data but has nothing to do with ensuring that date and time stamps are authentic.

You are asked to examine a hard disk for fragments of instant messaging conversations as well as deleted files. How should you do this? A. Use bitstream copying tools. B. Log in to the computer and copy the original hard drive contents to an external USB hard drive. C. Map a drive across the network to the original hard drive and copy the contents to an external USB hard drive. D. View log files.

A. Use bitstream copying tools. --- A. Bitstream forensic copying tools copy hard disk data at the bit level, not at the file level. When a file is deleted, it may disappear from the file system, but the file data in its entirety is intact on the hard disk until the hard disk is filled with new data. Deleted files are not copied with file-level copying, but they are with bitstream copying. B, C, and D are incorrect. Never log in to a seized computer to copy disk contents. Use an external forensic tool instead. Do not copy data from a seized computer across the network; this will affect log entries on the target computer and will disturb the original state of the data. Viewing log files could reveal data regarding e-mail and instant messaging, but it will not reveal deleted data. Log analysis covering a range of hosts and networks can provide a wealth of strategic intelligence data used to make informed IT security decisions.

A suspect deletes incriminating files and empties the Windows recycle bin. Which of the following statements are true regarding the deletion? (Choose two.) A. The files cannot be recovered. B. The files can be recovered. C. Deleted files contain all of their original data until the hard disk is filled with other data. D. Deleted files contain all of their original data until the hard disk is defragmented.

B. The files can be recovered. C. Deleted files contain all of their original data until the hard disk is filled with other data.

While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult? A. The contents of your inbox B. The mail server log C. The mail server documentation D. The web server log

B. The mail server log

What is the purpose of disk forensic software? (Choose two.) A. Using file encryption to ensure copied data mirrors original data B. Using file hashes to ensure copied data mirrors original data C. Protecting data on the original disks D. Creating file hashes on the original disks

B. Using file hashes to ensure copied data mirrors original data C. Protecting data on the original disks

Which built-in Linux operating system tool can be used to create an exact copy of a disk volume for forensic analysis? A. memdump B. dd C. WinHex D. Autopsy

B. dd --- B. The built-in Linux dd command can be used to copy a disk volume to an image file for future analysis while leaving the original file system intact. A commercial tool equivalent is FTK Imager. A, C, and D are incorrect. The memdump command is available in some Linux distributions such as Ubuntu Linux and is used to copy (dump) the contents of electronic memory to a file for further analysis. Activity related to dump files can be logged to ensure dump file integrity. The commercial WinHex hexadecimal editing tool can be used to recover deleted or damaged data from disk, and Autopsy is a commercial forensic tool that can be used to perform a forensic analysis on many different types of storage media and mobile devices, but these tools are not built into Linux.

Robin works as a network technician at a stock brokerage firm. To test network forensic capturing software, she plugs her laptop into an Ethernet switch and begins capturing network traffic. During later analysis, she notices some broadcast and multicast packets as well as her own computer's network traffic. Why was she unable to capture all network traffic on the switch? A. She must enable promiscuous mode on her NIC. B. She must disable promiscuous mode on her NIC. C. Each switch port is an isolated collision domain. D. Each switch port is an isolated broadcast domain.

C. Each switch port is an isolated collision domain. --- C. Ethernet switches isolate each port into its own collision domain. When capturing network traffic, this means you will not see traffic to or from other computers plugged into other switch ports, other than broadcast and multicast packets. Some switches allow you to copy all switch traffic to a monitoring port, but the scenario did not mention this.

You are reviewing existing network security controls and need to get up to speed on current lateral movement attacks commonly used by malicious users. What should you consult? A. Diamond model B. Cyber kill chain C. Mitre Att&ck D. COOP

C. Mitre Att&ck --- C. The Mitre Att&ck knowledge base will provide details regarding current malicious user techniques used for lateral movement from a compromised host. A, B, and D are incorrect. The listed items are not sources of up-to-date attacker techniques. The Diamond model is an intrusion analysis framework in which each malicious event, or diamond, is used to map out malicious activity; each diamond has a relationship defined with infrastructure components, the adversary executing the malicious activity and their capabilities, and an intended target or goal. The cyber kill chain is a framework used to trace malicious activity from the initial reconnaissance all the way through to the intended system compromise or malware infection and actions on objectives. Continuity of operation planning (COOP), similar to a business continuity plan (BCP), is the preparation for dealing with disruptions to a process, specifically a business process with the BCP, to minimize the impact of that disruption. COOP focuses more on public and government agency preparedness.

Which Linux command is specifically designed to view systemd logs? A. NXLog B. IPFIX C. journalctl D. echo

C. journalctl --- A, B, and D are incorrect. NXLog is a logging utility that supports log forwarding for centralized logging. NXLog works on UNIX, Linux, and Windows hosts. IP flow information export (IPFIX) is a multi-platform solution designed to collect network traffic information for bandwidth monitoring and is commonly used to identify network performance problems, which could indicate malicious activity. Cisco's proprietary IPFIX equivalent protocol, NetFlow, works on devices such as routers and switches to collect network traffic. Another protocol, sFlow, is used to sample network traffic and works on many different types of vendor equipment and hosts.

You need to review log files to determine whether network reconnaissance to learn of hostnames and IP addresses has occurred. Where will you most likely find this information? A. rsyslog configuration B. VoIP traffic log C. Directory server authentication log D. DNS server log

D. DNS server log --- D. DNS servers contain resource records detailing items such as host names and corresponding IP addresses; these records are consulted to resolve friendly names to IP addresses. As a result, reconnaissance scans that attempt to enumerate DNS servers will be shown in DNS server logs. As a measure of counterintelligence against attackers, a fake honeypot DNS server with incorrect information may be installed to throw off attackers. A, B, and C are incorrect. Some newer versions of UNIX and Linux systems use either the rsyslog or syslog-ng daemon to control logging on the local host as well as the forwarding of log messages to other network hosts. These logging options supersede the older UNIX and Linux syslog daemon and include additional capabilities such as the ability to filter log items based not only on metadata but actual log message contents. Voice over IP (VoIP) devices and related routers will log voice traffic activity and Session Initiation Protocol (SIP) traffic used by many VoIP implementations. Directory server authentication logs capture user, software, and device authentication traffic respectively. None of these logs types captures hostname and IP address scans, but DNS server logs do.

Which of the following tools can only detect an attack on a user's system? Host Intrusion Prevention System (HIPS) Host Intrusion Detection System (HIDS) Network Intrusion Prevention System (NIPS) Network Intrusion Detection System (NIDS)

Host Intrusion Detection System (HIDS)