CSA+ CH 3 Cyber Incident Response 2/2
Which of the following items is not typically found in corporate forensic kits? Write blockers Crime scene tape Label makers Decryption tools
B. Crime scene tape isn't a typical part of a forensic kit if you aren't a law enforcement forensic analyst or officer. Some businesses may use seals or other indicators to discourage interference with investigations. Write blockers, label makers, and decryption tools are all commonly found in forensic kits used by both commercial and law enforcement staff.
What is the minimum retention period for incident data for U.S. federal government agencies? 90 days 1 year 3 years 7 years
C. The U.S. National Archives General Records Schedule stipulates a three-year records retention period for incident-handling records.
Lauren wants to avoid running a program installed by a user that she believes is set with a RunOnce key in the Windows registry but needs to boot the system. What can she do to prevent RunOnce from executing the programs listed in the registry key? Disable the registry at boot. Boot into Safe Mode. Boot with the -RunOnce flag. RunOnce cannot be disabled; she will need to boot from external media to disable it first.
B. By default, Run and RunOnce keys are ignored when Windows systems are booted into Safe Mode. Clever attackers may insert an asterisk to force the program to run in Safe Mode; however, this is not a common tactic.
Lauren finds that the version of Java installed on her organization's web server has been replaced. What type of issue is this best categorized as? Unauthorized software An unauthorized change Unexpected input A memory overflow
B. Lauren's organization should use a change management process to avoid unauthorized changes to their web server. Lauren could then check the change process logs or audit trail to determine who made the change and when. If Java had been installed without proper authorization, then this would be unauthorized software. Unexpected input often occurs when web applications are attacked, and may result in a memory overflow.
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these? Resource Monitor System Monitor Activity Monitor Sysradar
C. The built-in macOS utility for measuring memory, CPU, disk, network, and power usage is Activity Monitor. Windows uses Resource Monitor, Sysradar was made up for this question, and System Monitor is used to collect information from Microsoft's SQL Server via RPC.
Lauren needs to access a macOS system but does not have the user's password. If the system is not FileVaulted, which of the following options is not a valid recovery method? Use Single User mode to reset the password. Use Recovery mode to recover the password. Use Target Disk mode to delete the Keychain. Reset the password from another privileged user account.
C. The keychain in macOS stores user credentials but does not store user account passwords. All of the other options listed are possible solutions for Lauren, but none of them will work if the system has FileVault turned on.
Which of the following properly lists the order of volatility from least volatile to most volatile? Printouts, swap files, CPU cache, RAM Hard drives, USB media, DVDs, CD-RWs DVDs, hard drives, virtual memory, caches RAM, swap files, SSDs, printouts
C. The order of volatility for media from least to most volatile is often listed as backups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can be associated with the level of volatility of that storage mechanism. For example, routing tables will typically be stored in RAM, making them highly volatile. Data stored on a rewriteable media is always considered more volatile than media stored on a write-only media.
Chris notices the following entries in his Squert web console (a web console for Sguil IDS data). What should he do next to determine what occurred? Table shows example for [OSSEC] user missed password more than one time (2502), [OSSEC] SSHD authentication failed (5716), et cetera. Review ssh logs. Disable ssh and then investigate further. Disconnect the server from the Internet and then investigate. Immediately change his password.
A. Failed SSH logins are common, either because of a user who has mistyped their password or because of scans and random connection attempts. Chris should review his SSH logs to see what may have occurred.
Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join? An ISAC A CSIRT A VPAC An IRT
A. Information Sharing and Analysis Centers (ISACs) are information sharing and community support organizations that work within vertical industries like energy, higher education, and other business domains. Ben may choose to have his organization join an ISAC to share and obtain information about threats and activities that are particularly relevant to what his organization does. A CSIRT is a Computer Security Incident Response Team and tends to be hosted in a single organization, a VPAC is made up, and an IRT is an incident response team.
Charles is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST's recommendations? Subnet mask, DHCP server, hostname, MAC address IP addresses, MAC addresses, host name Domain, hostname, MAC addresses, IP addresses NIC manufacturer, MAC addresses, IP addresses, DHCP configuration
B. NIST specifically recommends the hostname, MAC addresses, and IP addresses of the system. Capturing the full output of an ipconfig or ifconfig command may be useful, but forensic analysis may not permit interaction with a live machine. Additional detail like the domain (or domain membership) may or may not be available for any given machine, and NIC manufacturer and similar data is not necessary under most circumstances.
Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities? Wapiti Nmap OpenVAS ZAP
C. Of the tools listed, only OpenVAS is a full system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and nmap is a port scanner.
Kathleen's forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files? The MBR Unallocated space Slack space The FAT
C. When clusters are overwritten, original data is left in the unused space between the end of the new file and the end of the cluster. This means that copying new files over old files can leave remnant data that may help Kathleen prove that the files were on the system by examining slack space.
After zero wiping a system's hard drive and rebuilding it with all security patches and trusted accounts, Lauren is notified that the system is once again showing signs of compromise. Which of the following types of malware package cannot survive this type of eradication effort? An MBR-resident malware tool A UEFI-resident malware A BIOS-resident malware A slack space-resident malware package
D. MBR-, UEFI-, and BIOS-resident malware packages can all survive a drive wipe, but hiding files in slack space will not survive a zero wipe. While these techniques are uncommon, they do exist and have been seen in the wild.
Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off? Hibernation file analysis Memory analysis Boot-sector analysis Brute-force cracking
A. If the system that Angela is attempting to access had mounted the encrypted volume before going to sleep and there is a hibernation file, Angela can use hibernation file analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume was not mounted when the system went to sleep, she will not be able to retrieve the keys. Memory analysis won't work with a system that is off, the boot sector does not contain keys, and brute-force cracking is not a viable method of cracking BitLocker keys because of the time involved.
As an employee of the U.S. government, Megan is required to use NIST's information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident? As a privacy breach As an integrity loss As a proprietary breach As an availability breach
B. NIST classifies changes or deletion of sensitive or proprietary information as an integrity loss. Proprietary breaches occur when unclassified proprietary information is accessed or exfiltrated, and privacy breaches involve personally identifiable information (PII) that is accessed or exfiltrated.
While reviewing the actions taken during an incident response process, Jennifer is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows system restore point. Which of the following items will a Windows system restore return to a previous state? Personal files Malware Windows system files All installed apps
C. A system restore should not be used to rebuild a system after an infection or compromise since it restores only Windows system files, some program files, registry settings, and hardware drivers. This means that personal files and most malware, as well as programs installed or modifications to programs after the restore point is created, will not be restored.
The incident response kit that Cassandra is building is based around a powerful laptop so that she can perform on-site drive acquisitions and analysis. If she expects to need to acquire data from both SATA and IDE drives, what item should she include in her kit? A write blocker A USB hard drive A multi-interface drive adapter A USB-C cable
C. Cassandra should ensure that she has at least one USB multi-interface drive adapter that can connect to both IDE and SATA drives. While most modern drives use a SATA interface, analysts still periodically encounter older IDE drives. If she was performing forensic analysis, she would also want to use either a hardware or a software write blocker to ensure that she retains forensic integrity of the acquisition. A USB C cable, and a USB hard drive are commonly found in forensic and incident response toolkits, but won't help Cassandra connect to bare drives.
Matt's incident response team has collected log information and is working on identifying attackers using that information. What two stages of the NIST incident response process is his time working in? Preparation and containment, eradication, and recovery Preparation and post-incident activity Detection and analysis, and containment, eradication, and recovery Containment, eradication, and recovery and post-incident activity
C. Collecting and analyzing logs most often occurs in the detection phase, while connecting attacks back to attackers is typically handled in the containment, eradication, and recovery phase of the NIST incident response process.
Ben discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure? Data was modified. The source disk is encrypted. The destination disk has bad sectors. The data cannot be copied in RAW format.
C. If Ben has ensured that his destination media is large enough to contain the image, then a failure to copy is most likely because of bad media. Modification of the source data will result in a hash mismatch, encrypted drives can be imaged successfully despite being encrypted (the imager doesn't care!), and copying in RAW format is simply a bit-by-bit copy and will not cause a failure.
Joe is responding to a ransomware incident that has encrypted financial and business data throughout the organization, including current payroll and HR data. As events currently stand, payroll cannot be run for the current pay period. If Joe uses the NIST functional impact categories shown here, how should Joe rate this incident? image Critical Medium High Extended recovery
C. In this case, with current payroll and financial data encrypted and payroll unable to be run, this should be categorized as a high-severity incident.
Greg finds a series of log entries in his Apache logs showing long strings "AAAAAAAAAAAAAAAAAAAAAAA" followed by strings of characters. What type of attack has he most likely discovered? A SQL injection attack A denial of service attack A memory overflow attack A PHP string-ring attack
C. Overflowing a memory location by placing a string longer than the program expect into a variable is a form of buffer overflow attack. Attackers may choose to use a string of the same letters to make the overflow easier to spot when testing the exploit. Note that what the CySA+ exam calls memory overflows are more often called buffer overflows, and these terms may be used interchangeably in other materials you may encounter.
Frank wants to use netstat to get the process name, the PID, and the username associated with processes that are running on a Linux system he is investigating. What netstat flags will provide him with this information? -na -pt -pe -sa
C. The process details are provided using the p flag, while the e flag will show extended information that includes the username and inode of the process. The -t flag shows only TCP connections, -s shows summary information, -a shows all sockets, and the -n flag shows numeric IPs, which is faster than reverse DNS queries.
What type of attack behavior is shown here? Flow diagram shows return address leads to program instruction, program data, and heap, modified return address leads to program instructions, program data, and heap malicious code, et cetera. Kernel override RPC rewrite Buffer overflow Heap hack
C. This is a simple representation of a buffer overflow attack. The attacker overflows the buffer, causing the return address to be pointed to malicious code that the attacker placed in memory allocated to the process.
During what stage of an event is preservation of evidence typically handled? Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity
C. While responders are working to contain the incident, they should also reserve forensic and incident information for future analysis. Restoration of service is often prioritized over analysis during containment activities, but taking the time to create forensic images and to preserve log and other data is important for later investigation.
Chris needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly? Monitor traffic by running Wireshark on the system. Configure a unique event ID and send it. Monitor traffic by running Wireshark on the SIEM device. Generate a known event and monitor for it.
D. Chris simply needs to generate a known event ID that he can uniquely verify. Once he does, he can log into the SIEM and search for that event at the time he generated it to validate that his system is sending syslogs.
As John proceeds with a forensic investigation involving numerous images, he finds a directory labeled Downloaded from Facebook. The images appear relevant to his investigation, so he processes them for metadata using exiftool. The following image shows the data provided. What forensically useful information can John gather from this output? Sheet shows options for file name, directory, file size, file modification date/time, file type, MIME type, et cetera. The original file creation date and time The device used to capture the image The original digest (hash) of the file, allowing comparison to the original None; Facebook strips almost all useful metadata from images.
D. Facebook, as well as many other social media sites, now strip image metadata to help protect user privacy. John would need to locate copies of the photos that have not had the metadata removed and may still find that they did not contain additional useful data.
The hospital that Ben works at is required to be HIPAA compliant and needs to protect HIPAA data. Which of the following is not an example of PHI? Names of individuals Records of health care provided Records of payment for healthcare Individual educational records
D. The U.S. Department of Health and Human Services defines PHI data elements to include all "individually identifiable health information," including an individual's physical or mental health and their payment for healthcare in the past, present, future; their identity or information that could be used to identify an individual; and the data about the provision of healthcare to individuals. It does not include educational records.
Angela has discovered an attack that appears to be following the process flow shown here. What type of attack should she identify this as? Flow diagram shows six hexagons where identify target leads to prepare for attack, which leads to initial intrusion, expand access, exfiltrate data, and conceal evidence and retain access. Phishing Zero-day exploit Whaling Advanced persistent threat
D. The process flow that Angela has discovered is typically used by an advanced persistent threat. Phishing would focus on gaining credentials, whaling is similar but focused on important individuals, and a zero-day exploit leverages a newly discovered vulnerability before there is a patch or general awareness of the issue.
Chris wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions? A second examiner acting as a witness and countersigning all actions A complete forensic log book signed and sealed by a notary public A documented forensic process with required sign-off Taking pictures of all independent forensic actions
A. A second forensic examiner who acts as a witness, countersigning all documentation and helping document all actions, provides both strong documentation and another potential witness in court. Independent forensic action, no matter how well documented, will not be as reliable as having a witness.
During an incident response process, Susan heads to a compromised system and pulls its network cable. What phase of the incident response process is Susan performing? Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity
C. Removing a system from the network typically occurs as part of the containment phase of an incident response process. Systems are typically not returned to the network until the end of the recovery phase.
Adam works for a large university and sees the following graph in his PRTG console when looking at a year-long view. What behavioral analysis could he leverage based on this pattern? Graph shows daily averages - 365 days on months from 2016-August to 2017-June versus range in megabit per second from 0 to 3,000 with plots for bandwidth traffic IN and bandwidth traffic out. Identify unexpected traffic during breaks like the low point at Christmas. He can determine why major traffic drops happen on weekends. He can identify top talkers. Adam cannot make any behavioral determinations based on this chart.
A. Adam will quickly note that weekends see small drops, but Christmas vacation and summer break both see significant drops in overall traffic. He can use this as a baseline to identify unexpected traffic during those times or to understand what student and faculty behavior mean to his organization's network usage. This detail is not sufficient to determine top talkers, and weekend drops in traffic should be expected, rather than requiring him to look into why having fewer people on campus results in lower usage!
During an incident response process, Alice is assigned to gather details about what data was accessed, if it was exfiltrated, and what type of data was exposed. What type of analysis is she doing? Information impact analysis Economic impact analysis Downtime analysis Recovery time analysis
A. Alice is performing an information impact analysis. This involves determining what data was accessed, if it was exfiltrated, and what impact that loss might have. An economic impact analysis looks at the financial impact of an event, downtime analysis reviews the time that services and systems will be down, and recovery time analysis estimates the time to return to service.
Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using? Sandboxing Reverse engineering Malware disassembly Darknet analysis
A. Derek has created a malware analysis sandbox and may opt to use tools like Cuckoo, Truman, Minibis, or a commercial analysis tool. If he pulls apart the files to analyze how they work, he would be engaging in reverse engineering, and doing code-level analysis of executable malware would require disassembly. Darknets are used to identify malicious traffic and aren't used in this way.
Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to? US-CERT The National Cyber Security Authority The National Cyber Security Center CERT/CC
A. FISMA requires that U.S. federal agencies report incidents to US-CERT. CERT/CC is the coordination center of the Software Engineering Institute and researches software and Internet security flaws as well as works to improve software and Internet security. The National Cyber Security Authority is Israel's CERT, while the National Cyber Security Centre is the UK's CERT.
While performing process analysis on a compromised Linux system, Kathleen discovers a process called "john" that is running. What should she identify as the most likely use of the program? Password cracking Privilege escalation A rootkit A user named John's personal application
A. John the Ripper is a common Linux password cracker. While it is possible that an attacker might choose to call a rootkit or a malicious program used for privilege escalation "john" is it far less likely. Since user processes are identified by the binary name, not the user's identity for the process, a user named John won't result in a process named John unless they create a binary with the same name.
While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100% processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next? Review the sites visited by the web browser when the CPU utilization issues occur Check the browser binary against a known good version Reinstall the browser Disable TLS
A. Malicious sites may run scripts intended to mine cryptocurrency or to perform other actions when they are visited or ads execute code, resulting in high processor consumption. Charles should review the sites that were visited and check them against a trusted site list tool or a reputation tool. The scenario described does not indicate that checking the binary will help, and reinstalling a browser isn't typically part of the response for high CPU usage. Disabling TLS is a terrible idea, and modern CPUs shouldn't have an issue handling secure sites.
While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2017.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred? Microsoft Word files are stored in .zip format. Microsoft Word files are encrypted. Microsoft Word files can be opened only by Microsoft Word. The user has used antiforensic techniques to scramble the data.
A. Modern Microsoft Office files are actually stored in a .zip format. Alex will need to open them using a utility that can unzip them before he can manually review their contents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built-in support for Office documents.
While investigating a compromise, Jack discovers four files that he does not recognize and believes may be malware. What can he do to quickly and effectively check the files to see whether they are malware? Submit them to a site like VirusTotal. Open them using a static analysis tool. Run strings against each file to identify common malware identifiers. Run a local antivirus or anti-malware tool against them.
A. Online tools like VirusTotal, MetaScan, and other online malware scanners use multiple antivirus and anti-malware engines to scan files. This means they can quickly identify many malware packages. Static analysis of malware code is rarely quick and requires specialized knowledge to unpack or de-obsfuscate the files in many cases. Running strings can be helpful to quickly pick out text if the code is not encoded in a way that prevents it but is not a consistently useful technique. Running local AV or anti-malware can be helpful but has a lower success rate than a multi-engine tool.
Charles wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it? /etc/pam.d /etc/passwd /etc/auth.d /etc/tfa
A. Pluggable authentication module (PAM)-aware applications have a file in the /etc/pam.d directory. These files list directives that define the module and what settings or controls are enabled. Charles should ensure that the multifactor authentication system he uses is configured as required in the PAM files for the services he is reviewing.
Which of the following organizations is not typically involved in post-incident communications? Developers Marketing Public relations Legal
A. Post incident communication often involves marketing and public relations staff who focus on consumer sentiment and improving the organization's image, while legal often reviews statements to limit liability or other issues. Developers are typically not directly involved in post incident communications, and are instead working on ensuring the security of the applications or systems they are responsible for.
Cynthia runs the command shown here while checking usage of her Linux system. Which of the following statements is true based on the information shown? Image shows programing code with commands such as [user1@demo~] dollar netstat -at, et cetera, and table shows columns for proto, recv-Q, send-Q, local address, foreign address, and state. There are two users logged in remotely via ssh. There is an active exploit in progress using the Monkeycom exploit. The local system is part of the demo.com domain. The system is not providing any UDP services.
A. The only true statement based on the image is that there are two remote users ssh'ed into the system. Port 9898 is registered with IANA as Monkeycom but is often used for Tripwire, leading to incorrect identification of the service. The local system is part of the example.com domain, and the command that was run will not show any UDP services because of the -at flag, meaning that you cannot verify if any UDP services are running.
Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered? Window shows dialog box of example2.txt properties with tabs for general, details, Acronis Recovery with options for type of file, opens with, location, size, created, et cetera. Slack space Hidden content Sparse files Encryption overhead
A. The space that Saria sees is the space between the end of the file and the space allocated per cluster or block. This space may contain remnants of previous files written to the cluster or block or may simply contain random data from when the disk was formatted or initialized.
Kathleen is restoring a critical business system to operation after a major compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this? A trusted system binary kit Dynamic code analysis Static code analysis File rainbow tables
A. Trusted system binary kits like those provided by the National Software Reference Library include known good hashes of many operating systems and applications. Kathleen can validate the files on her system using references like the NSRL (https://www.nsrl .nist.gov/new.html).
Lucas wants to purge a drive to ensure that data cannot be extracted from it when it is sent off-site. Which of the following is not a valid option for purging hard drives on a Windows system? Use the built-in Windows sdelete command line. Use Eraser. Use DBAN. Encrypt the drive and then delete the key.
A. Windows does not include a built-in secure erase tool in the GUI or at the command line. Using a third-party program like Eraser or a bootable tool like DBAN is a reasonable option, and encrypting the entire drive and then deleting the key will have the same effect.
What incident response tool should Lauren build prior to an incident to ensure that staff can reach critical responders when needed? A triage triangle A call list A call rotation A responsibility matrix
B. A call list provides a list of the personnel who should or can be contacted during an incident or response scenario. Sometimes called an escalation list, they typically include the names of the staff members who should be called if there is no response. A rotation list or call rotation is used to distribute workload amongst a team, typically by placing a specific person on-call for a set timeframe. This may help decide who is on the call list at any given point in time. A triage triangle is made up for this question, and responsibility matrices are sometimes created to explain who is responsible for what system or application, but aren't directly used for emergency contact lists.
During the preparation phase of his organization's incident response process, Ben gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of pre-prepared equipment commonly called? A grab bag A jump kit A crash cart A first responder kit
B. A jump kit is a common part of an incident response plan and provides responders with the tools they will need without having to worry about where key pieces of equipment are during a stressful time. Crash carts are often used in data centers to connect a keyboard, mouse, and monitor to a server to work on it. First-responder kits are typically associated with medical responders, and a grab bag contains random items!
Samantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks? They involve sophisticated DDoS attacks. They quietly gather information from compromised systems. They rely on worms to spread. They use encryption to hold data hostage.
B. Advanced persistent threats often leverage email, phishing, or a vulnerability to access systems and insert malware. Once they have gained a foothold, APT threats typically work to gain access to more systems with greater privileges. They gather data and information and then exfiltrate that information while working to hide their activities and maintain long-term access. DDoS attacks, worms, and encryption-based extortion are not typical APT behaviors.
Angela wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Angela performed? Manual code reversing Interactive behavior analysis Static property analysis Dynamic code analysis
B. Angela has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Angela's ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.
Which of the following issues is not commonly associated with BYOD devices? Increased network utilization Increased device costs Increased support tickets Increased security risk
B. BYOD, or bring your own device, is increasingly common, and administrators typically find that network utilization, support tickets, and security risk (because of misconfigured, unpatched, or improperly secured devices) increase. Most organizations do not experience additional device costs with BYOD, as users are providing their own devices.
Catherine wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively? A log analysis tool A behavior based analysis tool A signature based detection tool Manual analysis
B. Catherine can configure a behavior based analysis tool which can capture and analyze normal behavior for her application, then alert her when unexpected behavior occurs. While this require initial setup, it requires less long term work than constant manual monitoring, and unlike signature based or log analysis based tools, it will typically handle unexpected outputs appropriately.
Chris is analyzing Chrome browsing information as part of a forensic investigation. After querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as "visit time" listed with a value of 131355792940000000. What conversion does he need to perform on this data to make it useful? The value is in seconds since January 1, 1970. The value is in seconds since January 1, 1601. The value is a Microsoft timestamp and can be converted using the time utility. The value is an ISO 8601-formatted date and can be converted with any ISO time utility.
B. Chrome uses the number of seconds since midnight on January 1, 1601, for its timestamps. This is similar to the file time used by Microsoft in some locations, although the file time records time in 100 nanosecond slices instead of seconds. Since the problem did not specify an operating system and Chrome is broadly available for multiple platforms, you'll likely have recognized that this is unlikely to be a Microsoft timestamp. ISO 8601 is written in a format like this: 2017-04-02T04:01:34+00:00.
After submitting a suspected malware package to VirusTotal, Alex receives the following results. What does this tell Alex? Window shows virustotal with options for SHA256, file name, detection ratio, and analysis tab, and table shows columns for antivirus and result. [https://drive.google.com/open?id=0B4u5n3PsqCBjcXNOVmtROEZFUFE] The submitted file contains more than one malware package. Antivirus vendors use different names for the same malware. VirusTotal was unable to specifically identify the malware. The malware package is polymorphic, and matches will be incorrect.
B. Each antivirus or anti-malware vendor uses their own name for malware, resulting in a variety of names showing for a given malware package or family. In this case, the malware package is a ransomware package; that is known by some vendors as GoldenEye or Petya.
Which of the following activities is not part of the containment and restoration process? Minimizing loss Identifying the attacker Limiting service disruption Rebuilding compromised systems
B. Identifying the attacker is typically handled either during the identification stage or as part of the post-incident activities. The IR process typically focuses on capturing data and allowing later analysis to ensure that services are restored.
Charles finds the following entries on a Linux system in /var/log/auth.log. If he is the only user with root privileges, requires two-factor authentication to log in as root, and did not take the actions shown, what should he check for? Sheet shows text which reads Jun 20, 21:44:02 kali useradd[1433]: new group: name equals demo, GID equals 1000, et cetera. [https://drive.google.com/open?id=0B4u5n3PsqCBjTDViWHhycjhhSzQ] A hacked root account A privilege escalation attack from a lower privileged account or service A malware infection A RAT
B. If Charles has good reason to believe he is the only person with root access to the system, he should look for a privilege escalation attack. A remote access Trojan would not directly provide root access, and a hacked root account is less likely than a privilege escalation attack. A malware infection is possible, and privilege escalation would be required to take the actions shown.
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice? It will create a crash log, providing useful memory forensic information. It will prevent shutdown scripts from running. It will create a memory dump, providing useful forensic information. It will cause memory-resident malware to be captured, allowing analysis.
B. If the system contains any shutdown scripts or if there are temporary files that would be deleted at shutdown, simply pulling the power cable will leave these files in place for forensic analysis. Pulling the cord will not create a memory or crash dump, and memory-resident malware will be lost at power-off.
Charles believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this? Review /etc/passwd and /etc/shadow for unexpected accounts. Check /home/ for new user directories. Review /etc/sudoers for unexpected accounts. Check /etc/groups for group membership issues.
B. It is unlikely that skilled attackers will create a new home directory for an account they want to hide. Checking /etc/password and /etc/shadow for new accounts is a quick way to detect unexpected accounts, and checking both the sudoers and membership in wheel and other high privilege groups can help Charles detect unexpected accounts with increased privileges.
What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption? Level 1: Manual extraction Level 2: Logical extraction Level 3: JTAG or HEX dumping Level 4: Chip extraction
B. Logical copies of data and volumes from an unlocked or decrypted device is the most likely mobile forensic scenario in many cases. Most forensic examiners do not have access to chip-level forensic capabilities that physically remove flash memory from the circuit board, and JTAG-level acquisition may involve invasive acquisition techniques like directly connecting to chips on a circuit board.
Rick is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image? Window shows memory pressure with options for physical memory, memory used, cached files, swap used, app memory, wired memory, and compressed. Memory resources are available. Memory resources are available but being tasked by memory management processes. Memory resources are in danger, and applications will be terminated to free up memory. Memory resources are depleted, and the disk has begun to swap.
B. Memory pressure is a macOS-specific term used to describe the availability of memory resources. Yellow segments on a memory pressure chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.
A disgruntled former employee uses the systems she was responsible for to slow down the network that Chris is responsible for protecting during a critical business event. What NIST threat classification best fits this type of attack? Impersonation Attrition Improper usage Web
B. NIST describes brute-force methods used to degrade networks or services as a form of attrition in their threat classification scheme. It may be tempting to call this improper usage, and it is; however, once an employee has been terminated, it is no longer an insider attack, even if the employee retains access.
During a major incident response effort, Ben discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data? Reboot the server and mount the system drive using a USB-bootable forensic suite. Create an image using a tool like FTK Imager Lite. Capture the system memory using a tool like Volatility. Install and run an imaging tool on the live server.
B. Portable imaging tools like FTK Imager Lite can be run from removable media, allowing a live image to be captured. Ben may still want to capture the system memory as well, but when systems are used for data gathering and egress, the contents of the disk will be important. Installing a tool or taking the system offline and mounting the drive are both undesirable in this type of scenario when the system must stay online and should not be modified.
Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created? Dynamic analysis Anomaly analysis Static analysis Behavioral analysis
B. Profiling networks and systems will provide a baseline behavior set. A SIEM or similar system can monitor for differences or anomalies that are recorded as events. Once correlated with other events, these can be investigated and may prove to be security incidents. Dynamic and static analysis are types of code analysis, while behavioral, or heuristic, analysis focuses on behaviors that are indicative of an attack or other undesirable behavior. Behavioral analysis does not require a baseline; instead, it requires knowing what behavior is not acceptable.
What common incident response follow-up activity includes asking questions like "What additional tools or resources are needed to detect or analyze future events?" Preparation Lessons-learned review Evidence gathering Procedural analysis
B. Questions including what tools and resources are needed to detect, analyze, or mitigate figure incidents, as well as topics such as how information sharing could be improved, what could be done better or differently, and how effective existing processes and policies are, can all be part of the lessons-learned review.
Casey's search for a possible Linux backdoor account during a forensic investigation has led her to check through the filesystem for issues. Where should she look for back doors associated with services? /etc/passwd /etc/xinetd.conf /etc/shadow $HOME/.ssh/
B. Services are often started by xinetd (although newer versions of some distributions now use systemctl). Both /etc/passwd and /etc/shadow are associated with user accounts, and $HOME/.ssh/ contains SSH keys and other details for SSH-based logins.
During an e-discovery process, Angela reviews the request from opposing counsel and builds a list of all of the individuals identified. She then contacts the IT staff who support each person to request a list of their IT assets. What phase of the EDRM flow is she in? Information governance Identification Preservation Collection
B. She is in the identification phase, which involves identifying systems and data before they are collected and preserved.
Lauren wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them? A chain of custody log Tamper-proof seals System logs None of the above
B. Tamper-proof seals are used when it is necessary to prove that devices, systems, or spaces were not accessed. They often include holographic logos that help to ensure that tampering is both visible and cannot be easily hidden by replacing the sticker. A chain of custody log works only if personnel actively use it, and system logs will not show physical access. If Lauren has strong concerns, she may also want to ensure that the room or space is physically secured and monitored using a camera system.
What step follows sanitization of media according to NIST guidelines for secure media handling? Reuse Validation Destruction Documentation
B. The NIST guidelines require validation after clearing, purging, or destroying media to ensure that the action that was taken is effective. This is an important step since improperly applying the sanitization process and leaving data partially or even fully intact can lead to a data breach!
Joe wants to recovery the passwords for local Windows users on a Windows 7 workstation. Where are the password hashes stored? C:\Windows\System32\passwords C:\Windows\System32\config C:\Windows\Secure\config C:\Windows\Secure\accounts
B. The SAM is stored in C:\Windows\System32\config but is not accessible while the system is booted. The hashed passwords are also stored in the registry at HKEY_LOCAL_MACHINE\SAM but are also protected while the system is booted. The best way to recover the SAM is by booting off of removable media or using a tool like fgdump.
Rick is conducting a forensic investigation of a compromised system. He knows from user reports that issues started at approximately 3:30 p.m. on June 12. Using the SANS SIFT open source forensic tool, what process should he use to determine what occurred? Search the drive for all files that were changed between 3 and 4 p.m. Create a Super Timeline. Run anti-malware and search for newly installed malware tools during that time frame. Search system logs for events between 3 and 4 p.m.
B. The ability to create a timeline of events that covers logs, file changes, and many other artifacts is known as a Super Timeline. SIFT includes this capability, allowing Rick to decide what event types and modules he wants to enable as part of his timeline-based view of events.
What is the key goal of the containment stage of an incident response process? To limit leaks to the press or customers To limit further damage from occurring To prevent data exfiltration To restore systems to normal operation
B. The containment stage of incident response is aimed at limiting damage and preventing any further damage from occurring. This may help stop data exfiltration, but the broader goal is to prevent all types of damage, including further exploits or compromises.
Susan has been asked to capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most volatile to least volatile? Network traffic, CPU cache, disk drives, optical media CPU cache, network traffic, disk drives, optical media Optical media, disk drives, network traffic, CPU cache Network traffic, CPU cache, optical media, disk drives
B. The order of volatility for common storage locations is as follows: CPU cache, registers, running processes, RAM Network traffic Disk drives Backups, printouts, optical media
Joseph wants to determine when a USB device was first plugged into a Windows workstation. What file should he check for this information? The registry The setupapi log file The system log The data is not kept on a Windows system.
B. The setupapi file (C:\Windows\INF\setupapi.dev.log) records the first time a USB device is connected to a Windows system using the local system's time. Other device information is collected in the registry, and the system security log may contain connection information if USB device logging is specifically enabled.
Ben is investigating a potential malware infection of a laptop belonging to a senior manager in the company he works for. When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation? Run an antivirus scan. Disconnect the system from the network. Wipe the system and reinstall. Observe and record what is being typed.
B. When a system is not a critical business asset that must remain online, the best response is typically to isolate it from other systems and networks that it could negatively impact. By disconnecting it from all networks, Ben can safely investigate the issue without causing undue risk. We have actually encountered this situation. After investigating, we found that the user's text-to-speech application was enabled, and the microphone had the gain turned all the way up. The system was automatically typing words based on how it interpreted background noise, resulting in strange text that really terrified the unsuspecting user.
Cynthia needs to ensure that the workstations she is responsible for have received a critical Windows patch. Which of the following methods should she avoid using to validate patch status for Windows 10 systems? Check the Update History manually. Run the Microsoft Baseline Security Analyzer. Create and run a PowerShell script to search for the specific patch she needs to check. Use SCCM to validate patch status for each machine on her domain.
B. While it may seem like an obvious answer, Microsoft's MBSA is now outdated and does not fully support Windows 10. Cynthia should select one of the other options listed to ensure that she gets a complete report.
Cynthia is reviewing her organization's incident response recovery process, which is outlined here. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process? Flow diagram shows restore from clean backups leads to install patches, which leads to change all passwords and assess system security. Change passwords before restoring from backup. Isolate the system before restoring from backups. Securely wipe the drive before restoration. Vulnerability scan before patching.
B. While it may seem obvious that the system should be isolated from the network when it is rebuilt, we have seen this exact scenario played out before. In one instance, the system was recompromised twice before the system administrator learned their lesson!
During the preservation phase of her work, Angela discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization's policies. What should Angela do? Conduct a forensic recovery of the data. Create synthetic data to replace the missing data. Report the issue to counsel. Purge any other data related to the request based on the same policy.
C. Angela should notify counsel and provide information about the policy and schedule that resulted in the data being removed. This will allow counsel to choose what steps to take next.
Alex needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following is not a method that he could use to acquire the BitLocker key? Analyzing the hibernation file Analyzing a memory dump file Retrieving the key from the MBR Performing a FireWire attack on mounted drives
C. BitLocker keys can be retrieved by analyzing hibernation files or memory dumps or via a FireWire attack for mounted drives. The BitLocker key is not stored in the MBR. After Alex finishes this investigation, he may want to persuade his organization to require BitLocker key escrow to make his job easier in the future.
Which of the following is not a valid use case for live forensic imaging? Malware analysis Encrypted drives Postmortem forensics Nonsupported filesystems
C. Postmortem forensics can typically be done after shutting down systems to ensure that a complete forensic copy is made. Live forensics imaging can help to capture memory-resident malware. It can also aid in the capture of encrypted drives and filesystems when they are decrypted for live usage. Finally, unsupported filesystems can sometimes be imaged while the system is booted by copying data off the system to a supported filesystem type. This won't retain some filesystem-specific data but can allow key forensic activities to take place.
While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here? Image shows programming code with commands such as ARC-authentication-results: i equals 1; mx.google.com; et cetera. Victoria Garci's email address is [email protected]. The sender sent via Yahoo. The sender sent via a system in Japan. The sender sent via Gmail.
C. Headers can be helpful when tracking down spam email, but spammers often use a number of methods to obfuscate the original sender's IP address, email, or other details. Unfortunately, email addresses are often spoofed, and the email address may be falsified. In this case, the only verifiable information in these headers is the IP address of the originating host, mf-smf-ucb011.ocn.ad.jp (mf-smf-ucb011.ocn.ad.jp) [153.149.228.228]. At times even this detail can be forged, but in most cases, this is simply a compromised host or one with an open email application that spammers can leverage to send bulk email.
Amanda has been tasked with acquiring data from an iPhone as part of a mobile forensics effort. At this point, should she remove the SIM (or UICC) card from the device if she receives the device in a powered-on state? While powered on, but after logical collection While powered on, prior to logical collection While powered off, after logical collection While powered off, before logical collection
C. If a device is powered on, the SIM should not be removed until after logical collection has occurred. Once logical collection has occurred, the device should be turned off, and then the SIM card can be removed. If this were not an iPhone, Amanda might want to check to ensure that the device is not a dual or multi-SIM device.
What is space between the last sector containing logical data and the end of the cluster called? Unallocated space Ephemeral space Slack space Unformatted space
C. Slack space is the space left between the end of a file and the end of a cluster. This space is left open, but attackers can hide data there, and forensic analysts can recover data from this space if larger files were previously stored in the cluster and the space was not overwritten prior to reuse.
Charles wants to monitor file permission changes on a Windows system he is responsible for. What audit category should he enable to allow this? File Permissions User Rights Filesystem Audit Objects
C. The File System audit subcategory includes the ability to monitor for both access to objects (event ID 4663) and permission changes (event ID 4670). Charles will probably be most interested in 4670 permission change events, as 4663 events include read, write, delete, and other occurrences and can be quite noisy!
As part of a test of her network's monitoring infrastructure, Kelly uses snmpwalk to validate her router SNMP settings. She executes snmpwalk as shown here: snmpwalk -c public 10.1.10.1 -v1 iso.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6" iso.3.6.1.2.1.2.0 = OID: iso.3.6.1.4.1.30800 iso.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11 iso.3.6.1.2.1.1.4.0 = STRING: "root" iso.3.6.1.2.1.1.5.0 = STRING: "RouterOS" ... Which of the following pieces of information is not something she can discover from this query? SNMP v1 is enabled. The community string is public. The community string is root. The contact name is root.
C. The command line for snmpwalk provides the clues you need. The -c flag specifies a community string to use, and the -v flag specifies the SNMP version. Since we know the community string, you can presume that the contact ID is root rather than the community string.
A major new botnet infection that uses a peer-to-peer command-and-control process much like 2007's Storm botnet has been released. Lauren wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems? Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature. Use beaconing detection scripts focused on the command-and-control systems. Capture network flows for all hosts and use filters to remove normal traffic types. Immediately build a network traffic baseline and analyze it for anomalies.
C. The only solution from Lauren's list that might work is to capture network flows, remove normal traffic, and then analyze what is left. The Storm botnet and other peer-to-peer botnets use rapidly changing control nodes and don't rely on a consistent, identifiable control infrastructure, which means that traditional methods of detecting beaconing will typically fail. They also use quickly changing infection packages, making signature-based detection unlikely to work. Finally, building a network traffic baseline after an infection will typically make the infection part of the baseline, resulting in failure to detect malicious traffic.
As part of his forensic analysis of a series of photos, John runs exiftool for each photo. He receives the following listing from one photo. What useful forensic information can he gather from this photo? Sheet shows options for file name, file type, F number, flash, make, et cetera. The original creation date, the device type, the GPS location, and the creator's name The endian order of the file, the file type, the GPS location, and the scene type The original creation date, the device type, the GPS location, and the manufacturer of the device The MIME type, the GPS time, the GPS location, and the creator's name
C. The original creation date (as shown by the GPS time), the device type (a Nexus 6P), the GPS location, and the manufacturer of the device (Huawei) can all provide useful forensic information. Here, you know when the photo was taken, where it was taken, and what type of device it was taken on. This can help narrow down who took the photo or may provide other useful clues when combined with other forensic information or theories.
Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect? destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true and application = http or https or tcp or unknown and content != uripath:* and content != contentencoding:* Users browsing malicious sites Adware Beaconing Outbound port scanning
C. The pseudocode tells you that Adam is trying to detect outbound packets that are part of short communications (less than 10 packets and less than 3,000 bytes) and that he believes the traffic may appear to be web traffic, be general TCP traffic, or not match known traffic types. He also is making sure that general web traffic won't be captured by not matching on uripath and contentencoding.
Susan is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs? Window shows local security policy with tabs for file, action, view, and help, and table shows columns for subcategory and audit events. Login failures User IDs from logins Successful logins Times from logins
C. The system Susan is reviewing only has login failure logging turned on and will not capture successful logins. She cannot rely on the logs to show her who logged in but may be able to find other forensic indicators of activity, including changes in the user profile directories and application caches.
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties? Customers, constituents, and media Internet service providers Law enforcement agencies Legal counsel
D. NIST identifies customers, constituents, media, other incident response teams, Internet service providers, incident reporters, law enforcement agencies, and software and support vendors as outside parties that an IR team will communicate with.
Brian's network suddenly stops working at 8:40 AM, interrupting video conferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his PRTG console and checks his router's traffic via the primary connection's redundant network link, he sees the following graph. What should Brian presume occurred based on this information? Graph shows live-graph - 60 minutes - 15 seconds interval on time from 08:20 to 09:10 versus range in megabit per second from 0 to 1,500. The network failed and is running in cached mode. There was a link card failure, and the card recovered. His primary link went down, and he should check his secondary link for traffic. PRTG stopped receiving flow information and needs to be restarted.
C. This image represents an actual situation that involved a severed fiber link. Checking the secondary link would show that traffic failed over to the secondary link after a few minutes of failed connection attempts. This diagram is not sufficient to determine whether Brian has a caching server in place, but normal traffic for streaming services and video conferences wouldn't work via a cache! If the link had failed and the card or device recovered on the same link, a resumption of normal traffic would appear. PRTG has continued to get small amounts of traffic, indicating that it is still receiving some information.
Susan wants to protect the Windows workstations in her domain from buffer overflow attacks. What should she recommend to the domain administrators at her company? Install an anti-malware tool. Install an antivirus tool. Enable DEP in Windows. Set VirtualAllocProtection to 1 in the registry.
C. Windows includes a built-in memory protection scheme called DEP that prevents code from being run in pages that are marked as nonexecutable. By default, DEP only protects "essential Windows programs and services," but it can be enabled for all programs and services, can be enabled for all programs and services except those that are on an exception list, or can be entirely disabled.
While conducting a wireless site survey, Susan discovers two wireless access points that are both using the same MAC address. When she attempts to connect to each, she is sent to a login page for her organization. What should she be worried about? A misconfigured access point A vendor error An evil twin attack A malicious MAC attack
C. Wireless evil twin attacks use a rogue AP configured to spoof the MAC address of a legitimate access point. The device is then configured to provide what looks like a legitimate login page to capture user credentials, allowing attackers to use those credentials to access other organizational resources.
What phase should Angela expect to spend the most person-hours in? Identification Collection and preservation Processing, review, and analysis Production
C. With most e-discovery cases, reviewing the large volumes of data to ensure that only needed data is presented and that all necessary data is made available takes up the most staff time. Many organizations with larger e-discovery needs either dedicate staff or outsource efforts like this.
While performing forensic analysis of an iPhone backup, Cynthia discovers that she has only some of the information that she expects the phone to contain. What is the most likely scenario that would result in the backup she is using having partial information? The backup was interrupted. The backup is encrypted. The backup is a differential backup. The backup is stored in iCloud.
C. iPhone backups to local systems can be full or differential, and in this scenario the most likely issue is that Cynthia has recovered a differential backup. She should look for additional backup files if she does not have access to the original phone. If the backup was encrypted, she would not be able to access it without a cracking tool, and if it was interrupted, she would be unlikely to have the backup file or have it be in usable condition. iCloud backups require access to the user's computer or account and are less likely to be part of a forensic investigation.
What strategy does NIST suggest for identifying attackers during an incident response process? Use geographic IP tracking to identify the attacker's location. Contact upstream ISPs for assistance in tracking down the attacker. Contact local law enforcement so that they can use law enforcement-specific tools. Identifying attackers is not an important part of the incident response process.
D. NIST's Computer Security Incident Handling Guide notes that identifying an attacker can be "time-consuming and futile." In general, spending time identifying attackers is not a valuable use of incident response time for most organizations.
Alex is attempting to determine why a Windows system keeps filling its disk. If she wants to see a graphical view of the contents of the disk that allows her to drill down on each cluster, what Sysinternals tool should she use? du df GraphDisk DiskView
D. DiskView provides a GUI-based view of the disk with each cluster marked by the files and directories it contains. du is a command-line disk usage reporting tool that can report on the size of directories and their subdirectories. df is the Linux command-line disk space usage tool, and GraphDisk was made up for this question.
Angela is conducting an incident response exercise and needs to assess the economic impact to her organization of a $500,000 expense related to an information security incident. How should she categorize this? Low impact Medium impact High impact Angela cannot assess the impact with the data given.
D. Economic impact is calculated on a relative scale, and Angela does not have all of the information she needs. A $500,000 loss may be catastrophic for a small organization and may have a far lower impact to a Fortune 500 company. Other factors like cybersecurity insurance may also limit the economic impact of a cybersecurity incident.
Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound? Create a MD5 hash Create a SHA-1 hash Create a SHA-2 hash All of the above
D. MD5, SHA-1, and SHA-2 hashes are all considered forensically sound. While MD5 hashes are no longer a secure means of hashing, they are still considered appropriate for validation of forensic images because it is unlikely that an attacker would intentionally create a hash collision to falsify the forensic integrity of a drive.
Lucas believes that one of his users has attempted to use built-in Windows commands to probe servers on the network he is responsible for. How can he recover the command history for that user if the system has been rebooted since the reconnaissance has occurred? Check the bash history. Open a command prompt window and hit F7. Manually open the command history from the user's profile directory. The Windows command prompt does not store command history.
D. Once a command prompt window has been closed on a Windows system, the command history is erased. If Lucas could catch the user with an open command prompt, he could hit F7 and see the command history.
What useful information cannot be determined from the contents of the $HOME/.ssh folder when conducting forensic investigations of a Linux system? Remote hosts that have been connected to Private keys used to log in elsewhere Public keys used for logins to this system Passphrases associated with the keys
D. Passphrases associated with keys are not kept in the .ssh folder. It does contain the remote hosts that have been connected to, the public keys associated with those hosts, and private keys generated for use connecting to other systems.
Patents, copyrights, trademarks, and trade secrets are all related to what type of data? PII PHI Corporate confidential Intellectual property
D. Patents, copyrights, trademarks, and trade secrets are all forms of intellectual property. Patents, copyrights, and trademarks are all legal creations to support creators, while trade secrets are proprietary business information and are not formally protected by governments.
Angela has recently taken a new position as the first security analyst that her employer has ever had on staff. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Angela plans to stand up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise? An incident response policy An operations manual An incident response program A playbook
D. Playbooks describe detailed procedures that help to ensure that organizations and individuals take the right actions during the stress of an incident. Operations guides typically cover normal operational procedures, while an incident response policy describes the high-level organizational direction and authority for incident response. An incident response program might generate a policy and a playbook but would not include the detailed instructions itself.
Chris believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections? Network traffic analysis Network forensics Endpoint behavior analysis Endpoint forensics
D. Since most APTs (including this one, as specified in the question) send traffic in an encrypted form, performing network forensics or traffic analysis will only provide information about potentially infected hosts. If Chris wants to find the actual tools that may exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may use endpoint behavior analysis, network forensics, and network traffic analysis to help identify target systems.
The company that Charleen works for has been preparing for a merger, and during a quiet phase she discovers that the corporate secure file server that contained the details of the merger has been compromised. As she works on her report, how should she most accurately categorize the data that was breached? PII PHI Intellectual property Corporate confidential data
D. The CySA+ exam objectives specifically identify data including merger and acquisition information as well as accounting data. This data is obviously not personally identifiable information or personal health information, and corporate confidential data describes it more accurately based on the exam objectives than intellectual property.
During an incident response process, Alex discovers a running Unix process that shows that it was run using the command nc -k -l 6667. He does not recognize the service and needs assistance in determining what it is. Which of the following would best describe what he has encountered? An IRCC server A network catalog server A user running a shell command A netcat server
D. The program netcat is typically run using nc. The -k flag for netcat makes it listen continuously rather than terminating after a client disconnects, and -l determines the port that it is listening on. In this case, the netcat server is listening on TCP port 6667, which is typically associated with IRC.
John believes that the image files he has encountered during a forensic investigation were downloaded from a site on the Internet. What tool can John use to help identify where the files were downloaded from? Google reverse image search Tineye Bing Image Match All of the above
D. There are numerous reverse image search tools, including Google's reverse image search, Tineye, and Bing's Image Match. John may want to use each of these tools to check for matching images.
Which of the following commands is the standard way to determine how old a user account is on a Linux system if [username] is replaced by the user ID that you are checking? userstat [username] ls -ld /home/[username] aureport -auth | grep [username] None of the above
D. There is no common standard for determining the age of a user account in Linux. Some organizations add a comment to user accounts using the -c flag for user creation to note when they are created. Using the ls command with the -ld flag will show the date of file creation, which may indicate when a user account was created if a home directory was created for the user at account creation, but this is not a requirement. The aureport command is useful if auditd is in use, but that is not consistent between Linux distros.
Angela is performing a forensic analysis of a Windows 10 system and wants to provide an overview of usage of the system using information contained in the Windows registry. Which of the following is not a data element she can pull from the SAM? Password expiration setting User account type Number of logins The first time the account logged in
D. While the registry contains the account creation date and time as well as the last login date and time, it does not contain the time the user first logged in. Fortunately for Angela, the SAM also contains password expiration information, user account type, the username, full name, user's password hint, when the password must be reset and when it will fail, as well as if a password is required. The SAM does not include the number of logins for a user, but some of this detail may be available in the system logs.