DFIR - Digital Forensics Incident Training

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Where can Linux logs be found?

/var/log

Because Linux presents everything as a file, it makes it easier to:

Analyze

What is the MRB process steps?

BIOS settings are loaded The OS partition is located The OS is loaded from the boot sector

Which of the following tools is used to look for embedded executable code?

Binwalk

What tool is used to make a copy of a hard drive?

FTK Imager

What is the first step in analyzing a drive?

Find the partitions

Which of the following can be used to identify a file as malicious?

Hash

Where can a file be hidden in Windows?

In the Alternate Data Stream

Where does fileless malware get stored?

It doesn't

Which of the following systems contains metadata for each stored file?

NTFS

What do we not look for when inspecting processes?

Process size

Which does NOT contain memory artifacts that can be analyzed?

RAM disk

What are MFT attributes?

Standard information Attribute list File name Security descriptor Data Object ID Index root

When investigating a process in Linux we can get all of these Except for..

Where the process was downloaded from

Static Binaries

use a minimal footprint on the system as they are not dependent on libraries pre-install on the Linux OS. & Doesn't require other files to run

Hot site

A backup that is running continuously and ready for imediate switchover

Zeek is a tool for...

Analyzing network traffic

cold site

Cheapest backup option does not always have the necessary equipment to enable the resumption of normal operation

Which of the following is part of the digital forensics process?

Collection, reporting, examination

Where can you view Windows logs?

Event Viewer

What does a magic number do?

Identify the file type

Which of the following is CPU architecture?

NASM, ARM, MIPS

Which of the following tools can check network connections? To investigate if any network connections were established.

Netstat

Which of the following is NOT CPU architecture?

Pi

warm site

Servers & other resources for backup but not as ready for switchover

Which of the following is used for minimal footprint in a system?

Static binaries

How is a file hidden using steganography?

By hiding a file within another file

Which of the following is a digital forensics method?

Live analysis

What file keeps a list of everything on a drive?

MFT - Master File Table

which of the following can help examine a process like a file named code.exe?

Process Dump

Non Repudiation provides:

Provides proof of the origin & integrity of data

Which of the following is NOT a feature of Wireshark?

Replace network traffic

Sockets

Scans for all our sockets

What is a sandbox used for?

To test malware in an isolated environment

What are some notable advantages for Dynamic analysis over static analysis?

Tracking changes, obfuscated data, context u

UBA, User behavior analytics knows what "normal " is for each user?

True

Which of the following is NOT a containment strategy for a cybersecurity incident?

Updating IDS rules

What OS does NTFS run in?

Windows 10, 8, 7, vista, XP, 2000 &NT

What will prefetch help find the evidence of?

A process that had been run

What are Data Carving Tools?

Bulke extractor, HxD, PhotoRec

How are vulvectomies tracked?

By a CVE number

What contains memory artifacts that can be analyzed?

- Crash dump file - Page file - Hibernation file

When inspecting processes we look at all of the following:

- parent process - network connections - DLLs used

Which of the following is a Windows Rvent Viewer classification?

-Error -Debug -Alert

Which of the following should be monitored during dynamic malware analysis?

-Network activity -Registry changes -File system changes

What should you focus on when threat hunting?

Anomalies

What tool is used to analyze a hard drive after we copy it?

Autopsy

Which of the following tools can be used to find persistent malware?

Autoruns

NetScan

Can be used in more recent versions of Windows

What is that thing where Splunk finds related events?

Correlation

What is the correct process used by APT groups?

OSINT>External Takeover>Privilege Escalation >Lateral Movement and Internal Takeover>Hiding Mechanism and Information Theft

Which of the following contains RAW data, has no format, only bytes, and requires tools for capture?

Physical memory

Which of the following are commonly used for malware persistence?

Registry keys, Services

Which of the following tools can be used to research RAM dumps?

Volatility

Which of the following is a network sniffing tool?

tcpdump

What can we not get when the computer is turned off?

RAM

Conscan should be used as a complimentary plugin with

Sockets

Which of the following is not an IR role?

Stress check

Why is it important to use logs?

They store records of potentially important events.

What is the difference between Wireshark and tcpdump?

tcpdump is command-based; Wireshark has a GUI interface

Which of the following is the most common file system used in Linux distributions?

Ext4

Which of the following will generate a log by default?

Linux Authentication process, Web servers, Proxy Servers

What are the stages of NIST methodologies?

Preparation, detection & analysis, containment, eradication & recovery, post-incident Activity

Connscan

Scans for identifiable TCP connections in older versions of Windows

What is the responsibility of a CISO?

To create a strategy for data and IT asset protection and maintain it

Which of the following tools can be used to obfuscate malware code?

UPX

Why is it important to use an IR plan?

When an incident occurs, the IR team will be under pressure to mitigate it, and having an IR plan can help focus on performing the necessary tasks

Which of the following statements is true?

When data is erased from the operating system, it remains on the HDD until it is overwritten

Which tool should an investor use to dynamically investigate malware?

Debugger

A pop-up appears saying your computer files were infected, and offering to fix the problem for free.. what of the following attacks did you encounter?

Scareware

What is in the swap file?

Stuff that wouldn't fit in RAM

What is the purpose of intelligence?

To provide an advantage over your adversary

Which of the following are commonly used for malware persistence?

-Services -Registry Keys

Which of the following tools can be used for drive cloning?

-dd -FTK Imager

Which of the following is a feature of Wireshark?

-object export -stream inspection -display filters

Which of the following is NOT a body section of a portable executable (PE) file?

.header

Which of the following is a body section of a portable executable (PE) file?

.text , .rdata , .data

Which of the following can check to make sure employees are not entering prohibited sites?

DNS cache

Which of the following is NOT a tool that is used for data carving?

DumpIt

Which of the following services provides proof of the origin and integrity of data?

Non-repudiation

You can recover a computer's RAM only when it is turned ..

Off

Which of the following is NOT included in the digital forensics process?

Penetration testing

What are the stages of SANS methodologies?

Preparation, Identification, Containment, Eradication, recovery, and Lessons Learned

Data Carving is a forensics technique that involves what?

Reassembling files from pieces of raw data, when no file system metadata is available

Which of the following are anti-forensic techniques?

Tunneling, Steganography

To investigate a network attack in accordance with the network forensics investigation flow process, what should be the first step?

Check for malware signatures

To test company software and analyze its behavior in real-time, which of the following should be used?

Dynamic analysis

What is the difference between threat hunting and threat intelligence?

Threat intelligence is a process within Threat Hunting and involves learning from other sources

Which of the following is a common identification method that can verify the identity of specific files?

Hashing


Kaugnay na mga set ng pag-aaral

Business Intelligence and Analytics Final Exam

View Set

New English Adventure 2 - Unit Hello

View Set