DFIR Exam

Let's build an IR team, whom do we need?

A. Analyst - Does ALL of the work. B. IR Manager - Manages up, helps herd the cats, removes blockers. C. Researcher - Malware analysis, digs into vulnerabilities, etc.

What types of things do we do in Digital Forensics?

A. Collecting information - collecting artifacts to analyze. B. Examining artifacts - looking for malware and signs of compromise. C. Reporting - we write comprehensive technical reports.

What is a sandbox used for? A. Isolating an operating system to check files. B. Testing malware w/out affecting the host system C. Running new apps D. Clearing infected files from the host system

B. Testing malware w/out affecting the host system

Which of the following tools can interface with Windows OS and a RAM dump? A. CAINE (Computer aided investigation Environment) B. Volatility C. Wireshark (Protocol analyzer) D. SIFT (SANS incident)

B. Volatility

How can malware be detected? A. By scanning the system folder B. It cannot be detected. C. By searching for abnormal activities D. By changing folder permissions

C. By searching for abnormal activities.

Which of the following is a digital forensic method? A. Deleting files B. Steganography C. Live analysis D. All the above

C. Live analysis

Define the CSIRT Acronym

Computer Security Incident Response Team

What is the order of the IR lifecycle?

Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post Incident Activity. Note: No 'identification', 'termination'