CHA Ch3 Practice Cyber Incident Response
B. Lucca only needs a verifiable MD5 hash to validate the files under most circumstances. This will let him verify that the file he downloaded matches the hash of the file that the vendor believes they are providing. There have been a number of compromises of vendor systems, including open source projects that included distribution of malware that attackers inserted into the binaries or source code available for download, making this an important step when security is critical to an organization.
1. If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them? A File size and file creation date B MD5 hash C Private key and cryptographic hash D Public key and cryptographic hash
B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a text file, and setfacl restores those permissions from the backup file. Both aclman and chbkup were made up for this question.
10. Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system? A chbkup B getfacl C aclman D There is not a common Linux permission backup tool.
B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Charles has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.
11. While working to restore systems to their original configuration after a long-term APT compromise, Charles has three options. Which option should Charles choose in this scenario? A He can restore from a backup and then update patches on the system. B He can rebuild and patch the system using original installation media and application software using his organization's build documentation. C He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems. D None of the above. Charles should hire a third party to assess the systems before proceeding.
A. FileVault does allow trusted accounts to unlock the drive but not by changing the key. FileVault 2 keys can be recovered from memory for mounted volumes and much like BitLocker, it suggests that users record their recovery key, so Jessica may want to ask the user or search their office or materials if possible. Finally, FileVault keys can be recovered from iCloud, providing her with a third way to get access to the drive.
12. Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following methods is not a possible means of unlocking the volume? A Change the FileVault key using a trusted user account. B Retrieve the key from memory while the volume is mounted. C Acquire the recovery key. D Extract the keys from iCloud.
D. Windows audits account creation by default. Frank can search for account creation events under event ID 4720 for modern Windows operating systems.
14. Frank wants to log the creation of user accounts on a Windows 7 workstation. What tool should he use to enable this logging? A secpol.ms B cauditpol.msc C regedit D Frank does not need to make a change; this is a default setting.
A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions.
15. If Danielle wants to purge a drive, which of the following options will accomplish her goal? A Cryptographic erase B Reformat C Overwrite D Repartition
B. Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.
16. Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network? A Persistence of the beaconing B Beacon protocol C Beaconing interval D Removal of known traffic
C. Local scans often provide more information than remote scans because of network or host firewalls that block access to services. The second most likely answer is that Scott or Joanna used different settings when they scanned.
17. While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports? A Different patch levels during the scans B They are scanning through a load balancer. C There is a firewall between the remote network and the server. D Scott or Joanna ran the vulnerability scan with different settings.
C. A general best practice when dealing with highly sensitive systems is to encrypt copies of the drives before they are sent to third parties. Adam should encrypt the drive image and provide both the hash of the image and the decryption key under separate cover (sent via a separate mechanism) to ensure that losing the drive itself does not expose the data. Once the image is in the third-party examiner's hands, they will be responsible for its security. Adam may want to check on what their agreement says about security!
18. As part of his organization's cooperation in a large criminal case, Adam's forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam's team take prior to sending a drive containing the forensic image? A Encode in EO1 format and provide a hash of the original file on the drive. B Encode in FTK format and provide a hash of the new file on the drive. C Encrypt the RAW file and transfer a hash and key under separate cover. D Decrypt the RAW file and transfer a hash under separate cover.
B. Hardware write blockers can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker.
19. Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this? A Set the "read-only" jumper on the drive. B Use a write blocker. C Use a read blocker. D Use a forensic software package.
C. The amount of metadata included in photos varies based on the device used to take them, but GPS location, GPS timestamp-based time (and thus correct, rather than device native), and camera type can all potentially be found. Image files do not track how many times they have been copied!
2. Jeff discovers multiple .jpg photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact? A GPS location B Camera type C Number of copies made D Correct date/timestamp
C. CompTIA defines two phases: incident eradication and validation. Validation phase activities per CompTIA's split include patching, permissions, scanning, and verifying logging works properly.
21. Lisa is following the CompTIA process for validation after a compromise. Which of the following actions should be included in this phase? A Sanitization B Re-imaging C Setting permissions D Secure disposal
B. SNMP, packet sniffing, and netflow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool you'd use to watch your network's bandwidth usage!
22. Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? A SNMP B Portmon C Packet sniffing D Netflow
B. James can temporarily create an untrusted network segment and use a span port or tap to allow him to see traffic leaving the infected workstation. Using Wireshark, he can build a profile of the traffic it sends, helping him build a fingerprint of the beaconing behavior. Once he has this information, he can then use it in his recovery efforts to ensure that other systems are not similarly infected.
23. James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system? A Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark. B Plug the system into an isolated switch and use a span port or tap and Wireshark to capture traffic. C Review the ARP cache for outbound traffic. D Review the Windows firewall log for traffic logs.
B. Conducting a lessons-learned review after using an incident response plan can help to identify improvements and to ensure that the plan is up-to-date and ready to handle new events.
25. After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan? A Update system documentation. B Conduct a lessons-learned session. C Review patching status and vulnerability scans. D Engage third-party consultants.
B. If Kathleen's company uses a management system or inventory process to capture the MAC addresses of known organizationally owned systems, then a MAC address report from her routers and switches will show her devices that are connected that are not in inventory. She can then track down where the device is physically connected to the port on the router or switch to determine whether the device should be there.
26. The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information? A A discovery scan using a port scanner. B Router and switch-based MAC address reporting. C A physical survey. D Reviewing a central administration tool like SCCM.
C. When /var fills up, it is typically due to log files filling up all available space. The /var partition should be reviewed for log files that have grown to extreme size or that are not properly set to rotate.
27. While investigating a system error, Lauren runs the df command on a Linux box that she is the administrator for. What problem and likely cause should she identify based on this listing? # df -h /var/ Filesystem Size Used Avail Use% Mounted on /dev/sda1 40G 11.2G 28.8 28% / /dev/sda2 3.9G 3.9G 0 100% /var A The var partition is full and needs to be wiped. B Slack space has filled up and needs to be purged. C The var partition is full, and logs should be checked. D The system is operating normally and will fix the problem after a reboot.
D. Linux permissions are read numerically as "owner, group, other." The numbers stand for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only, a 5 means read and execute, without write, and so on. 777 provides the broadest set of permissions, and 000 provides the least.
28. In order, which set of Linux permissions are least permissive to most permissive? A 777, 444, 111 B 544, 444, 545 C 711, 717, 117 D 111, 734, 747
C. Improper usage, which results from violations of an organization's acceptable use policies by authorized users, can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute-force methods of attacking services. Impersonation attacks include spoofing, man-in-the-middle attacks, and similar threats. Finally, web-based attacks focus on websites or web applications. Awareness may help with some specific web-based attacks like fake login sites, but many others would not be limited by Lauren's awareness efforts.
29. As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness? A Attrition B Impersonation C Improper usage D Web-based
A. Chris needs both /etc/passwd and /etc/shadow for John to crack the passwords. While only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
3. Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? A Both /etc/passwd and /etc/shadow B /etc/shadow C /etc/passwd D Chris cannot recover passwords; only hashes are stored.
C. Incremental mode is John the Ripper's most powerful mode, as it will try all possible character combinations as defined by the settings you enter at the start. Single crack mode tries to use login names with various modifications and is very useful for initial testing. Wordlist uses a dictionary file along with mangling rules to test for common passwords. External mode relies on functions that are custom-written to generate passwords. External mode can be useful if your organization has custom password policies that you want to tweak the tool to use.
30. Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in? A Single crack mode B Wordlist mode C Incremental mode D External mode
B. If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine.
31. During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? A Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B Copy the virtual disk files and then use a memory capture tool. C Escalate to management to get permission to suspend the system to allow a true forensic copy. D Use a tool like the Volatility Framework to capture the live machine completely.
B. Re-assembling the system to match its original configuration can be important in forensic investigations. Color-coding each cable and port as a system is disassembled before moving helps to ensure proper re-assembly. Mika should also have photos taken by the on-site investigators to match her re-assembly work to the on-site configuration.
32. Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this? A To ensure chain of custody B To ensure correct re-assembly C To allow for easier documentation of acquisition D To tamper-proof the system
D. The Signal protocol is designed for secure end-to-end messaging, and using a distinct messaging tool for incident response can be helpful to ensure that staff separate incident communication from day-to-day operations. Text messaging is not secure. Email with TLS enabled is encrypted only between the workstation and email server and may be exposed in plain text at rest and between other servers. A Jabber server with TLS may be a reasonable solution but is less secure than a Signal-based application.
33. Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool? A Text messaging B A Jabber server with TLS enabled C Email with TLS enabled D A messaging application that uses the Signal protocol
C. Since the drives are being returned at the end of a lease, you must assume that the contract does not allow them to be destroyed. This means that purging the drives, validating that the drives have been purged, and documenting the process to ensure that all drives are included are the appropriate actions. Clearing the drives leaves the possibility of data recovery, while purging, as defined by NIST SP 800-88, renders data recovery infeasible.
35. Alex needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process? A Clear, validate, and document. B Purge the drives. C Purge, validate, and document. D The drives must be destroyed to ensure no data loss.
C. The default macOS drive format is HFS+ and is the native macOS drive format. By default, it uses 512-byte logical blocks (sectors) and up to 4,294,967,296 allocation blocks. macOS does support FAT32 and can read NTFS but cannot write to NTFS drives without additional software. MacFAT was made up for this problem.
36. Selah is preparing to collect a forensic image for a Macintosh computer. What hard drive format is she most likely to encounter? A FAT32 B MacFAT C HFS+ D NTFS
B. Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed on his organization's machines, Tim should expect that the individual being investigated has engaged in some antiforensic activities including wiping files that may have been downloaded or used against company policy. This doesn't mean he shouldn't continue his investigation, but he may want to look at Eraser's log for additional evidence of what was removed.
37. During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation? A A wiped C: drive B Anti-forensic activities C All slack space cleared D Temporary files and Internet history wiped
B. Data carving is the process of identifying files based on file signatures such as headers and footers and then pulling the information between those locations out as a file. Jessica can use common carving tools or could manually carve files if she knows common header and footer types that she can search for.
38. Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called? A Slacking B Data carving C Disk recovery D Header manipulation
D. A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. While Lauren may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third-party experts for incidents if she needs additional skills or expertise on her IR team.
39. Lauren is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT? A Her lead IT support staff technician B Her organization's legal counsel C A third-party IR team lead D She should select herself.
B. The Sysinternals suite provides two tools for checking access, AccessEnum and AccessChk. AccessEnum is a GUI-based program that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent. AccessChk is a command-line program that can check the rights a user or group has to resources.
4. Charles needs to review the permissions set on a directory structure on a Window system he is investigating. Which Sysinternals tool will provide him with this functionality? A DiskView B AccessEnum C du D AccessChk
A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR ensures that shared libraries are loaded at randomized locations, making it difficult for attackers to leverage known locations in memory via shared library attacks. DEP is a Windows tool for memory protection, and position-independent variables are a compiler-level protection that is used to secure programs when they are compiled.
41. Lauren wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems? A The NX bit and ASLR B StackAntismash and DEP C Position-independent variables and ASLR D DEP and the position-independent variables
C. If the Security log has not rotated, Angela should be able to find the account creation under event ID 4720. The System log does not contain user creation events, and user profile information doesn't exist until the user's first login. The registry is also not a reliable source of account creation date information.
42. Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently? A Check the System log. B Check the user profile creation date. C Check the Security log. D Query the registry for the user ID creation date.
A. The Linux file command shows a file's format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won't provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won't be as useful as the file command for this purpose.
43 Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred? A file B stat C strings D grep
D. Lauren will get the most information by setting auditing to All but may receive a very large number of events if she audits commonly used folders. Auditing only success or failure would not show all actions, and full control is a permission, not an audit setting.
44 Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes? A Success B Fail C Full control D All
A. The apt command is used to install and upgrade packages in Ubuntu Linux from the command line. The command apt-get -u upgrade will list needed upgrades and patches (and adding the -V flag will provide useful version information). The information about what patches were installed is retained in /var/log/apt, although log rotation may remove or compress older update information.
45. Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system? A apt-get -u upgrade, /var/log/apt B rpm -i upgrade, /var/log/rpm C upgrade -l, /var/log/upgrades D apt-get install -u; Ubuntu Linux does not provide a history of updates
C. Under most circumstances Ophcrack's rainbow table-based cracking will result in the fastest hash cracking. Hashcat's high-speed, GPU-driven cracking techniques are likely to come in second, with John the Ripper and Cain and Abel's traditional CPU-driven cracking methods remaining slower unless their mutation-based password cracks discover simple passwords very quickly.
46. Adam wants to quickly crack passwords from a Windows 7 system. Which of the following tools will provide the fastest results in most circumstances? A John the Ripper B Cain and Abel C Ophcrack D Hashcat
A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric's case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.
47. Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? A Logical B Bit-by-bit C Sparse D None of the above
D. The chain of custody for evidence is maintained by logging and labeling evidence. This ensures that the evidence is properly controlled and accessed.
49. During a forensic investigation, Steve records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Steve is using as he labels evidence with details of who acquired and validated it? A Direct evidence B Circumstantial evidence C Incident logging D Chain of custody
C. NIST describes events like this as security incidents because they are a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.
6. The organization that Alex works for classifies security related events using NIST's standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business traveler's laptop? A An event B An adverse event C A security incident D A policy violation
B. In most cases, the first detection type Jennifer should deploy is a rogue SSID detection capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She may still want to conduct scans of APs that are using channels they should not be, and of course her network should either use network access controls or scan for rogue MAC addresses to prevent direct connection of rogue APs and other devices.
7. Jennifer is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first? A Authorized MAC B Authorized SSID C Authorized channel D Authorized vendor
C. Dan's efforts are part of the preparation phase, which involves activities intended to limit the damage an attacker could cause.
8. Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in? A Post-incident activity B Detection and analysis C Preparation D Containment, eradication, and recovery
B. Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers. Notification to the bank is part of this type of response effort. Requiring notification of law enforcement is unlikely, and the card provider listing specifies only two of the major card vendors, none of which are specified in the question.
9. The company that Brian works for processes credit cards and is required to be compliant with PCI-DSS. If Brian's company experiences a breach of card data, what type of disclosure will they be required to provide? A Notification to local law enforcement B Notification to their acquiring bank C Notification to federal law enforcement D Notification to Visa and MasterCard