CySA 4
12. Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following methods is not a possible means of unlocking the volume? Change the FileVault key using a trusted user account. Retrieve the key from memory while the volume is mounted. Acquire the recovery key. Extract the keys from iCloud.
"A. FileVault does allow trusted accounts to unlock the drive but not by changing the key. FileVault 2 keys can be recovered from memory for mounted volumes and much like BitLocker, it suggests that users record their recovery key, so Jessica may want to ask the user or search their office or materials if possible. Finally, FileVault keys can be recovered from iCloud, providing her with a third way to get access to the drive."
71. Jose is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker's efforts as they continue their attack. If Jose wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use? Removal Isolation Segmentation Detection
"A. MAC address spoofing or cloning will allow a system to easily bypass port security because port security only relies on MAC address verification to decide which systems can connect to a given network port.
36. Selah is preparing to collect a forensic image for a Macintosh computer running the Mojave operating system. What hard drive format is she most likely to encounter? FAT32 MacFAT APFS HFS+
"A. Phishing attacks typically target credentials, so Lisa should focus on how to identify what credentials were exposed, how to prevent compromised credentials from causing problems, and how to reduce the likelihood of future successful phishing attacks. At the same time, she will need to monitor for use of the compromised credentials!
15 If Suki wants to purge a drive, which of the following options will accomplish her goal? Cryptographic erase Reformat Overwrite Repartition"
"A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions."
84. Near the end of a typical business day, Suki is notified that her organization's email servers have been blacklisted because of email that appears to originate from her domain. What information does she need to start investigating the source of the spam emails? Firewall logs showing SMTP connections The SMTP audit log from her email server The full headers of one of the spam messages Network flows for her network
"A. SCAP (Security Content Automation Protocol) is a set of specifications that define how to exchange security automation content used to assess configuration compliance. It can also be used to detect vulnerable versions of software.
65. During an incident response process, Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing? Preparation Detection and analysis Containment, eradication, and recovery Postincident activity"
"A. Secure/Multipurpose Internet Mail Extensions (S/MIME) is standard for encryption and signing that has been implemented for many email platforms. If his email client and the recipient's email client both support it, Eric can digitally sign his email to prove that he sent it and that the content has not been changed."
46. Adam wants to quickly crack passwords from a Windows system. Which of the following tools will provide the fastest results in most circumstances? John the Ripper Cain and Abel Ophcrack Hashcat
"A. Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect.
39. Latisha is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT? Her lead IT support staff technician Her organization's legal counsel A third-party IR team lead She should select herself."
"A. The Structured Threat Information Expression language (STIX), and TAXII, the protocol used to transfer threat intelligence, are open protocols that have been adopted to allow multiple threat sources to be combined effectively. SAML is Security Assertion Markup Language, OCSP is Online Certificate Status Protocol, and CAB was made up for this question."
30. "Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in? Single crack mode Wordlist mode Incremental mode External mode"
"A. The only error in this rule is the protocol. SMTP does run on port 25, and inbound connections should be accepted from any port and IP address. The destination IP address (10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP."
61. "Which of the following commands is not useful for determining the list of network interfaces on a Linux system? ifconfig netstat -i ip link show intf -q
"A. The top command provides a real-time view of the memory usage for a system on a per-process basis. The ls command does not work for memory; mem was made up for this question; and memstat is used to check the state of memcached servers, and it won't help in this circumstance. If you're not familiar with basic Linux commands like top, you should spend some time with a Linux system as you prepare for the CySA+ exam. A basic understanding of common commands can be very helpful."
19. Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this? Set the "read-only" jumper on the drive. Use a write blocker. Use a read blocker. Use a forensic software package.
"B. A hardware write blocker can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker."
35. Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process? Clear, validate, and document. Purge the drives. Purge, validate, and document. The drives must be destroyed to ensure no data loss.
"B. Both quarantine networks and captive portals with patch tools and instructions are common solutions to this type of requirement. In this case, placing systems into an isolated quarantine network with access to update and patching sites will meet Manish's needs."
72. "When Abdul arrived at work this morning, he found an email in his inbox that read, "Your systems are weak; we will own your network by the end of the week." How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs? An indicator A threat A risk A precursor
"B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Piper should use the DROP command on all three to stop all traffic to or from a machine."
31. During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. Copy the virtual disk files and then use a memory capture tool. Escalate to management to get permission to suspend the system to allow a true forensic copy. Use a tool like the Volatility Framework to capture the live machine completely."
"B. Chris can correct this error by switching the positions of rules 2 and 3. Rule 3, which permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic from that subnet also matches rule 2, which blocks it.
55. Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in? SQLite Plain text Base64 encoded text NoSQL"
"B. Domain names like those listed are a common sign of a domain generation algorithm (DGA), which creates procedurally generated domain names for malware command and control hosts."
80. While reviewing his network for rogue devices, Dan notes that a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building for three days. What information can this provide Dan that may be helpful if he conducts a physical survey of the office? The operating system of the device The user of the system The vendor who built the system The type of device that is connected
"B. Even if you don't recognize the Windows Event ID, this query provides a number of useful clues. First, it has an interval of four hours, so you know a timeframe. Next, it lists data.login.user, which means you are likely querying user logins. Finally, it includes machine count, and >1, so you can determine that it is looking for more than one system that has been logged in to. Taken together, this means that the query looks for users who have logged in to more than one machine within any given four-hour period. Matt may want to tune this to a shorter time period, because false positives may result for technical support staff, but since most users won't log in to more than one machine, this could be a very useful threat-hunting query.
23. "James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system? Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark or tcpdump. Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic. Review the ARP cache for outbound traffic. Review the Windows Firewall log for traffic logs.
"B. First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn't find a second antivirus package installed, she should conduct a scan using another tool to see if malware may be the issue
53. Saanvi wants to prevent buffer overflows from succeeding against his organization's web applications. What technique is best suited to preventing this type of attack from succeeding? User input canonicalization User input size checking Format string validation Buffer overwriting
"B. Henry's implementation is a form of DNS sinkholing, which sends traffic to an alternate address that acts as the sinkhole for traffic that would otherwise go to a known bad domain.
11. While working to restore systems to their original configuration after a long-term APT compromise, Manish has three options: He can restore from a backup and then update patches on the system. He can rebuild and patch the system using original installation media and application software using his organization's build documentation. He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems. Which option should Manish choose in this scenario? Option A Option B Option C None of the above. Manish should hire a third party to assess the systems before proceeding.
"B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Manish has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service."
7. "Mei is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first? Authorized MAC Authorized SSID Authorized channel Authorized vendor
"B. In most cases, the first detection type Mei should deploy is a rogue SSID detection capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She may still want to conduct scans of APs that are using channels they should not be, and of course her network should either use network access controls or scan for rogue MAC addresses to prevent direct connection of rogue APs and other devices.
74. As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them? Segmentation Patching Using threat intelligence Whitelisting
"B. John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise trojans as innocuous applications, so John should follow his organization's incident response plan."
"If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them? A. File size and file creation date B. MD5 hash C. Private key and cryptographic hash D. Public key and cryptographic hash
"B. Lucca only needs a verifiable MD5 hash to validate the files under most circumstances. This will let him verify that the file he downloaded matches the hash of the file that the vendor believes they are providing. There have been a number of compromises of vendor systems, such as open source projects that included distribution of malware that attackers inserted into the binaries or source code available for download, making this an important step when security is critical to an organization.
33. Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool? Text messaging A Jabber server with TLS enabled Email with TLS enabled A messaging application that uses the Signal protocol"
"B. Moving to a NAT environment will make the systems inaccessible from the outside world, massively reducing the organization's attack surface. Installing host firewalls would be a great second step, but could involve significant amounts of work to install and tune the firewalls."
9. The company that Brian works for processes credit cards and is required to be compliant with PCI DSS. If Brian's company experiences a breach of card data, what type of disclosure will they be required to provide? Notification to local law enforcement Notification to their acquiring bank Notification to federal law enforcement Notification to Visa and MasterCard
"B. Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers. Notification to the bank is part of this type of response effort. Requiring notification of law enforcement is unlikely, and the card provider listing specifies only two of the major card vendors, none of which are specified in the question.
22. Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? SNMP Portmon Packet sniffing NetFlow
"B. SNMP, packet sniffing, and NetFlow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool you'd use to watch your network's bandwidth usage!
79. The Stuxnet attack relied on engineers who transported malware with them, crossing the air gap between networks. What type of threat is most likely to cross an air-gapped network? Email Web Removable media Attrition
"B. Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legitimate purposes. Replacing services is far less common unless a known upgrade or patch has occurred.
73. During an incident response process, Cynthia conducts a lessons learned review. What phase of the incident response process is she in? Preparation Detection and analysis Containment, eradication, and recovery Postincident recovery
"B. Syd has added an entry to the hosts file that routes all traffic for example.com to her local address. This is a useful technique to prevent a system from contacting a malicious host or domain, or to simply prevent a nontechnical user from visiting specific sites or domains."
"Charles needs to review the permissions set on a directory structure on a Window system he is investigating to determine whether the system contains unauthorized privileges. Which Sysinternals tool will provide him with this functionality? A. DiskView B. AccessEnum C. du D. AccessChk
"B. The Sysinternals suite provides two tools for checking access, AccessEnum and AccessChk. AccessEnum is a GUI-based program that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent. AccessChk is a command-line program that can check the rights a user or group has to resources"
25. After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan? A. Update system documentation. B. Conduct a lessons learned session. Review patching status and vulnerability scans. Engage third-party consultants.
"B. The ps utility lists currently running processes, and aux are a set of flags that control which processes are selected. This output is then piped to grep, and all lines with the text apache2 will be selected. Then that list will be searched for the text root. This type of multiple piping can help quickly process large volumes of files and thousands or millions of lines of text.
69. "Rick wants to monitor permissions and ownership changes of critical files on the Red Hat Linux system he is responsible for. What Linux tool can he use to do this? watchdog auditctl dirwatch monitord
"B. The top command will show a dynamic, real-time list of running processes. If Amanda runs this, she will immediately see that two processes are consuming 99 percent of a CPU each and can see the command that ran the program."
66. "A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? Flow logs with heuristic analysis SNMP monitoring with heuristic analysis Flow logs with signature-based detection SNMP monitoring with signature-based detection
"B. These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B, while allowing only port 25 from host C. Option D might appear attractive but allows all traffic instead of only SMTP. Option A only drops SMTP traffic from host B (and all of the other hosts in its /24 segment), whereas option C allows traffic in from the hosts we want to block.
59. Which of the following is not an important part of the incident response communication process? Limiting communication to trusted parties Disclosure based on public feedback Using a secure method of communication Preventing accidental release of incident-related information
"B. This command uses the -i flag, which means it will ignore the case of the text. That means that grep will search all files with a .txt extension for any occurrences of example, regardless of the case or other letters around it.
16. Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network? Persistence of the beaconing Beacon protocol Beaconing interval Removal of known traffic"
"B. Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons."
52. "Vlad wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about? The registry The user profile directory The wireless adapter cache Wireless network lists are not stored after use.
"C. Cormac built a reasonable initial list of operating system versions, but many devices on a modern network will not match this list, causing operating system version mismatch issues with the matching rules he built. He may need to either add broader lists of acceptable operating systems, or his organization may need to upgrade or replace devices that cannot be upgraded to acceptable versions."
85. Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera? RAW FAT16 FAT32 APFS
"C. Damian has likely encountered an advanced persistent threat (APT). They are characterized as extremely well resourced actors whose compromises typically have an extended dwell time and the ability to scale capabilities to counter defenders over time.
75. "As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? An incident An event An adverse event A security incident"
"C. Endpoint detection and response (EDR) tools use software agents to monitor endpoint systems and to collect data about processes, user and system activity, and network traffic, which is then sent to a central processing, analysis, and storage system.
17. While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports? Different patch levels were used during the scans. They are scanning through a load balancer. There is a firewall between the remote network and the server. Scott or Joanna ran the vulnerability scan with different settings."
"C. Local scans often provide more information than remote scans because of network or host firewalls that block access to services. The second most likely answer is that Scott or Joanna used different settings when they scanned.
6. The organization that Jamal works for classifies security related events using NIST's standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business travelers' laptop? An event An adverse event A security incident A policy violation
"C. NIST describes events like this as security incidents because they are a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network."
37. During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation? A wiped C: drive Antiforensic activities All slack space cleared Temporary files and Internet history wiped"
"C. Session hijacking of insecurely implemented session cookies is the likely result from this type of issue. Matt should spend time with his developers to ensure that they have reviewed resources like the OWASP guides to secure session creation and maintenance.
41. Latisha wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems? The NX bit and ASLR StackAntismash and DEP Position-independent variables and ASLR DEP and the position-independent variables
"C. The ATT&CK framework is focused on network defense and broadly covers threat hunting. CAPEC is focused on application security. CVSS is the Common Vulnerability Scoring System, and Mopar is a parts, service, and customer care organization that is part of Fiat Chrysler.
"Jeff discovers multiple JPEG photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact? A. GPS location B. Camera type C. Number of copies made D. Correct date/timestamp
"C. The amount of metadata included in photos varies based on the device used to take them, but GPS location, GPS timestamp-based time (and thus correct, rather than device native), and camera type can all potentially be found. Image files do not track how many times they have been copied!
21."Which one of the following file manipulation commands is not used to display the contents of a file? head tail chmod cat
"C. The chmod command is used to change the permissions on a file. The head and tail commands are used to display the beginning and end of a file, respectively. The cat command is used to display an entire file.
87. After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs? Power them down, take pictures of how each is connected, and log each system in as evidence. Take photos of each system, power them down, and attach a tamper-evident seal to each PC. Collect live forensic information, take photos of each system, and power them down. Collect a static drive image, validate the hash of the image, and securely transport each system."
"C. The increasing digit of the IP address of the target system (.6, .7, .8) and the ICMP protocol echo request indicate that this is a ping sweep. This could be part of a port scan, but the only behavior that is shown here is the ping sweep. This is ICMP, and cannot be a three-way handshake, and a traceroute would follow a path, rather than a series of IP addresses.
26. "The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information? A discovery scan using a port scanner Router and switch-based MAC address reporting A physical survey Reviewing a central endpoint administration tool.
"C. The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com."
76. "Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times? Cell phone GPS logs Photograph metadata Cell phone tower logs Microsoft Office document metadata
"C. This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks."
89. "During their organization's incident response preparation, Manish and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Manish and Linda classify this information? PII Intellectual property PHI PCI DSS
"D. Although the CySA+ exam includes email signatures in the list of items you may want to analyze, the same techniques are used to analyze the entire body of an email for malicious links and payloads. Header data is often checked against IP reputation databases and other checks that can help limit email from spam domains and known malicious senders. Signature blocks, however, are not typically a primary analysis tool.
29. As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness? Attrition Impersonation Improper usage Web"
"D. Email headers contain the message ID, date, to, from, user agent, IP addresses of both the sender and the receiver, and information about the email servers along the path between them. They do not contain a private key."
86. "While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent over 20GB. What problem has Bohai encountered? A. A rootkit is concealing traffic from the Linux kernel. B. Flow logs show traffic that does not reach the system. C. ifconfig resets traffic counters at 4 GB. D. ifconfig only samples outbound traffic and will not provide accurate information.
"D. Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.
58. Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file? md5sum certutil sha1sum hashcheck
"D. Mateo's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, since they are appliances they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.
43. Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred? file stat strings grep
"D. Oracle databases default to TCP port 1521. Traffic from the "outside" system is being denied when it attempts to access an internal system via that port.
63. "Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence? Clear Purge Destroy None of the above
"D. The key requirements here are that this is an existing network and that the systems are BYOD. That means that Latisha should focus on an agentless system to remove the hurdles that agent-based scanning requires and that an out-of-band solution is likely appropriate since they are easier to retrofit to an existing network than an in-line solution, which can require rearchitecting a network to place the in-line NAC device into a central control location. It is important to note that Latisha will likely have less visibility than she would have with an agent-based system.
70. "Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded? Network flows SMB logs Browser cache Drive analysis
"D. The kill command is used to end processes in Linux. Amanda should issue the kill -9 command followed by the process ID of the processes she wants to end (the -9 flag is the signal, and means "really try hard to kill this process"). Since she has run both top and htop, she knows that she needs to end processes 3843 and 3820 to stop stress from consuming all her resources. A little research after that will show her that stress is a stress testing application, so she may want to ask the user who ran it why they were using it if it wasn't part of their job.
78. "In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents? Outsource to a third-party SOC Create an internal SOC Hire an internal incident response team Outsource to an incident response provider
"D. The passwd binary stands out as having recently changed. This may be innocuous, but if Marta believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version, and then follow her incident response process if it doesn't match."
81. "Bohai wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective? Purge, clear, destroy Eliminate, eradicate, destroy Clear, purge, destroy Eradicate, eliminate, destroy
"D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files. Grep would require knowing what he is looking for, and both more and less will simply display the file, which is often not a useful strategy for binaries.
77. Kai has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step? Resample to validate her testing. Destroy the drives. Create documentation. She is done and can send the drives on for disposition."
"D. When an email is forwarded, a new message with a new Message-ID header will be created. The In-Reply-To and References field will also be set as normal. The best option that Charles has is to look for clues like a subject line that reads "FWD"—something that is easily changed."
28. "In order, which set of Linux permissions are least permissive to most permissive? 777, 444, 111 544, 444, 545 711, 717, 117 111, 734, 747
"D. While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC."
49. "During a forensic investigation, Kwame records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Kwame is using as he labels evidence with details of who acquired and validated it? Direct evidence Circumstantial evidence Incident logging Chain of custody" Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.
"D. While the infection may not cause the business to lose data, there is an effect as systems must be restored and investigation will need to be done to determine if data was lost in addition to being encrypted in place." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.
14. Frank wants to log the creation of user accounts on a Windows workstation. What tool should he use to enable this logging? secpol.msc auditpol.msc regedit Frank does not need to make a change; this is a default setting."
"D. Windows audits account creation by default. Frank can search for account creation events under event ID 4720 for modern Windows operating systems. "
67. Mei's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model? Regular Supplemented Extended Not recoverable
A. Adding an iptables entry uses the -A flag to add to a list. Here, we can safely assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP address or subnet range, and -j specifies the action, DROP.
"Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? A. Both /etc/passwd and /etc/shadow B. /etc/shadow C. /etc/passwd D. Chris cannot recover passwords; only hashes are stored.
A. Chris needs both the /etc/passwd and the /etc/shadow files for John the Ripper to crack the passwords. Although only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
64. Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device? Antivirus definitions File reputation IP reputation Static file analysis
A. Group Policy Objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory Domain Services to the organization and would be the point for applying and enforcing the GPO."
38. "Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called? Slacking Data carving Disk recovery Header manipulation"
B. Brute-force attacks rely on the ability to make multiple attempts to log in, access a service, or otherwise allow probes. A back-off algorithm can limit or prevent this by ensuring that only a limited number of attempts are possible before delays or a timed lockout occurs.
10. Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system? chbkup getfacl aclman There is not a common Linux permission backup tool."
B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a text file, and setfacl restores those permissions from the backup file. Both aclman and chbkup were made up for this question.
45. Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system? apt-get -u upgrade, /var/log/apt rpm -i upgrade, /var/log/rpm upgrade -l, /var/log/upgrades apt-get install -u; Ubuntu Linux does not provide a history of updates.
B. Testing for common sample and default files is a common tactic for vulnerability scanners. Nara can reasonably presume that her Apache web server was scanned using a vulnerability scanner."
18. As part of his organization's cooperation in a large criminal case, Adam's forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam's team take prior to sending a drive containing the forensic image? Encode in EO1 format and provide a hash of the original file on the drive. Encode in FTK format and provide a hash of the new file on the drive. Encrypt the RAW file and transfer a hash and key under separate cover. Decrypt the RAW file and transfer a hash under separate cover.
C. A general best practice when dealing with highly sensitive systems is to encrypt copies of the drives before they are sent to third parties. Adam should encrypt the drive image and provide both the hash of the image and the decryption key under separate cover (sent via a separate mechanism) to ensure that losing the drive itself does not expose the data. Once the image is in the third-party examiner's hands, they will be responsible for its security. Adam may want to check on what their agreement says about security."
88. "In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called? Criminal forensics E-discovery Cyber production Civil tort
C. API-based integrations allow a SOAR environment to send queries as required for the data they need. Flat files and CSVs can be useful when there is no API, or when there isn't support for the API in an environment, and real-time integration is not required. Email integrations can result in delays as email delivery is not done at a guaranteed speed and can require additional parsing and processing to extract information. Although it isn't in the list here, Bruce might consider a direct database connection if he was unable to use an API and wanted real-time data.
8. Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in? Postincident activity Detection and analysis Preparation Containment, eradication, and recovery
C. Dan's efforts are part of the preparation phase, which involves activities intended to limit the damage an attacker could cause."
54. Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need? Suspend the machine and copy the contents of the directory it resides in. Perform a live image of the machine. Suspend the machine and make a forensic copy of the drive it resides on. Turn the virtual machine off and make a forensic copy of it.
C. Maria can push an updated hosts file to her domain connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would only work if all of the systems were using local DNS, and offsite users are likely to have DNS settings set by the local networks they connect to. Antimalware applications may not have an update yet, or may fail to detect the malware, and forcing a BGP update for third-party networks is likely a bad idea."
42. Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently? Check the System log. Check the user profile creation date. Check the Security log. Query the registry for the user ID creation date.
C. NAC (Network Access Control) can combine user or system authentication with client-based or clientless configuration and profiling capabilities to ensure that systems are properly patched, configured, and are in a desired security state. Whitelisting is used to allow specific systems or applications to work, port security is a MAC address filtering capability, and Extensible Authentication Protocol (EAP) is an authentication protocol."
44. Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes? Success Fail Full control All"
C. Packers, or runtime packers, are tools that self-extract when run, making the code harder to reverse-engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers were made up for this question.
90. As Mika studies her company's computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. What information would she record on that form if she was conducting a forensic investigation? A. The list of individuals who made contact with files leading to the investigation B. The list of former owners or operators of the PC involved in the investigation C. All individuals who work with evidence in the investigation D. The police officers who take possession of the evidence"
C. TCP port 22 indicates that this is most likely an SSH scan, and the single packet with no response traffic indicates unsuccessful connection attempts. If the system is not normally used for scanning for open SSH servers, Alice should look into why it is behaving this way."
47. Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? Logical Bit-by-bit Sparse None of the above"
D. Adam's Snort rule is looking for a specific behavior—in this case, web traffic to example.com's download script. Rules looking for anomalies typically require an understanding of "normal," whereas trend-based rules need to track actions over time and availability-based analysis monitors uptime.
82. Degaussing is an example of what form of media sanitization? Clearing Purging Destruction It is not a form of media sanitization."
D. DNS sinkholes can block many types of drive-by downloads by preventing systems from connecting to malicious sites. DNS sinkholes do have limitations: they only work when a DNS query occurs, which means that some malware uses IP addresses directly to avoid them. They also can't stop malware from being executed, and of course malware could use a hard-coded DNS server instead of the organization's DNS server.
32. Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this? To ensure chain of custody To ensure correct reassembly To allow for easier documentation of acquisition To tamper-proof the system"
D. Rule 4 is correctly designed to allow SSH access from external networks to the server located at 10.15.1.3. The error is not with the firewall rulebase, and Chris should search for other causes."
68. Which of the following mobile device forensic techniques is not a valid method of isolation during forensic examination? Use a forensic SIM. Buy and use a forensic isolation appliance. Place the device in an antistatic bag. Put the device in airplane mode."
D. This view of htop shows both CPU1 and CPU2 are maxed out at 100 percent. Memory is just over 60 percent used. Almost all swap space is available."