DFIR Overview
What is the method of loading more than one data sector into a single file called? A. Alternate Data Stream (ADS) B. Deleting a file C. Encrypting a file D. None of the Above
A. Alternate Data Stream (ADS)
David wants to test company software and analyze its behavior in real time. Which of the following methods should he use? A. Dynamic analysis B. Static analysis C. Sandbox analysis D. MTTR
A. Dynamic analysis
Which of the following is software that can both clone a disk and dump memory? A. FTK Imager B. NMAP C. EWF D. DD
A. FTK Imager
What is the Linux equivalent of the MFT? A. Inode B. MBR C. NTFS D. Ext4
A. Inode
Which is a stable tool used for doing a memory dump in Linux? A. LiME B. LeMONaide C. Redact D. Netstat
A. LiME
What do Pslist and Pstree help show in memory forensics? A. Lists out processes and their parent child relationships B. Lists out IPs and Domains C. List out DLLs and associated processes D. None of the Above
A. Lists out processes and their parent child relationships
Which of the following services provides proof of the origin and integrity of data? A. Non-repudiation B. Accountability C. SOC D. Logs and event anomalies
A. Non-repudiation
Which of the following is a debugger that can be used to analyze malware while it's running?A. OllyDbg B. NMAP C. HxD D. None of the above
A. OllyDbg
Bob, a security analyst, received notifications from a program called code.exe and wants to examine its process. Which of the following can help him examine the process? A. Process Dump B. DLL Dump C. Memory Dump D. All of the above
A. Process Dump
What is a useful piece of process information that is volatile? A. Remote Connections B. Registry Settings C. Security Event Logs D. All of the Above
A. Remote Connections
Which of the following is used for minimal footprint in a system? A. Static binaries B. Netcat C. Netstat D. Lsof
A. Static binaries
Why is it important to use logs? A. They store records of potentially important events. B. They record web-related attacks. C. They store records of well-known attacks. D. None of the above.
A. They store records of potentially important events.
Which of the following is a common use for proxies? A. Traffic Inspection B. VPN capabilities C. Application Scanning D. All of the above
A. Traffic Inspection
Which of the following programming languages issues machine code instructions and is difficult to learn? A. C B. Assembly C. Pascal D. Fortran
B. Assembly
What part of the CIA Triad deals with making sure users can access data and services? A. Confidentiality B. Availability C. Integrity D. Accountability
B. Availability
What is the main purpose of Live Forensics? A. Getting things done fast is the most important when dealing with forensics B. Capturing volatile data that will be lost once the system is powered down C. You can use the system in question to do your analysis D. Playing with fire is fun
B. Capturing volatile data that will be lost once the system is powered down
John was tasked to investigate a network attack in accordance with the network forensics investigation flow process. What should be John's first step? A. Filter by IOCs and gathered data B. Check for malware signatures C. Analyze the protocol data D. Identify traffic abnormalities
B. Check for malware signatures
Which of the following is a tool used for Drive Cloning? A. FastDump B. DD C. HxD D. Volatility
B. DD
Tom wants to check sites that were accessed by employees to make sure they are not entering prohibited sites. Which of the following should he check to do that? (This doesn't make sense) A. Site cache B. DNS cache C. Server cache D. None of the above.
B. DNS cache
What is an organization's most valuable asset? A. Money in the bank B. Employees C. Buildings D. Corporate Secrets
B. Employees
Why is it important to use an IR plan? A. It is necessary for when the SOC crashes due to a ransomware attack. B. Having an IR plan can help focus on performing the necessary tasks. C. An IR plan is used once, when the IR team still isn't ready to operate. D. None of the above.
B. Having an IR plan can help focus on performing the necessary tasks.
Volatile memory is saved to disk when you do this? A. Lock Screen B. Hibernation C. Alt+F4 D. Shutdown
B. Hibernation
What is the PowerShell command for installing PowerForensics? A. import-Module PowerForensics B. Install-Module -Name PowerForensics C. Install-Module PowerForensics D. Get-PowerForensics
B. Install-Module -Name PowerForensics
Which is a command that can be used to acquire process information on Linux? A. Ls B. Lsof C. Netstat D. Cat
B. Lsof
Which of the following was one of the institutions that created the modern-day approach to Incident Response A. CIA B. NIST C. CompTIA D. (ISC)2
B. NIST
Which of the following serves as a source for network traffic data sources? A. Threat Intel B. Network Logs C. ProcMon D. All of the above
B. Network Logs
What is the correct process used by APT groups? A. Priv Esc > External and Internal Takeover > Hiding and Info Theft B. OSINT > External Takeover > Priv Esc> Lateral Move and Int TO > Hiding/IT C. OSINT > Internal Takeover > Lateral Movement > Information Theft D. None of the above.
B. OSINT > External Takeover > Priv Esc> Lateral Move and Int TO > Hiding/IT
What is an example of an intangible asset? A. Vehicles B. Patents C. Software D. Hardware
B. Patents
Which of the following contains RAW data, has no format, only bytes, and requires tools for capture? A. Primary memory B. Physical memory C. Virtual memory D. Secondary memory
B. Physical memory
Which is a PowerShell forensics framework? A. DD B. PowerForensics C. FTK Imager D. Volatility
B. PowerForensics
Which of the following is part of the APT attack flow? A. Threat Intelligence B. Privilege Escalation C. Encrypt organizational data D. None of the above
B. Privilege Escalation
Which of the following tools allows for the repeating of previously captured traffic? A. UDPReplay B. TCPReplay C. TCPRepeater D. None of the above
B. TCPReplay
What is the difference between threat hunting (TH) and threat intelligence (TI) A. TH works with tools, TI does not work with tools. B. TI is a process within TH and involves learning from other sources. C. Threat Hunting is a red team job, Threat Intelligence is a blue team job. D. Threat Hunting and Threat Intelligence are the same.
B. TI is a process within TH and involves learning from other sources.
Which of the following is an anti-forensic technique? A. Strings B. Tunneling C. MIPS D. All of the above
B. Tunneling
Which of the following is a live Linux distribution dedicated to cloning drives? A. CAINE B. FTK Imager C. Clonezilla D. Autopsy
C. Clonezilla
What is the newest type of Boot Record called? A. MBR B. SDN C. GPT D. MFT
C. GPT
Which of the following is a common identification method that can verify the identity of specific files? A. Firewall B. Binary pattern C. Hashing D. Data sanitization
C. Hashing
What part of the CIA Triad deals with making sure data is not improperly changed? A. Confidentiality B. Availability C. Integrity D. Non-Repudiation
C. Integrity
Which IS NOT an investigation step for Memory Analysis? A. Investigating rogue processes B. Check DLLs used by various executables C. Make sure logs are sent to your SIEM D. Check network activity and artifacts
C. Make sure logs are sent to your SIEM
Which is a tool that can be used to do data acquisition over a network? A. Nmap B. DD C. Netcat D. FTK Imager
C. Netcat
Which of the following is a description of an IDS? A. Network device that proactively protects traffic B. Network decrypting device C. Network device that inspects traffic D. None of the above
C. Network device that inspects traffic
Which of the following is a Memory Dump format? A. ISO B. PDF C. RAW D. TXT
C. RAW
After you enter a website, a pop-up appears saying your computer files were infected and offering to fix the problem for a small fee. Which of the following attacks did you encounter? A. Worm B. Evil Twin C. Scareware D. MITM
C. Scareware
When looking at Inodes, what command shows only deleted nodes? A. ffstat B. losetup C. ils D. df -T
C. ils
What is something you want to search for in Memory Forensics? A. Parental Structures B. Hidden Processes C. Suspicious Details D. All of the Above
D. All of the Above
What will display recent user activity? A. Most Recently Used (MRU) B. Jump List C. RunMRU D. All of the Above
D. All of the Above
Which network artifact is available during memory analysis? A. Open Sockets B. IP Address C. Created Time D. All of the Above
D. All of the Above
Which of the following is a Recoverable Artifact? A. Registry Entries B. Browser History C. Master File Table D. All of the Above
D. All of the Above
Browser cache artifacts include: A. Cookies B. Browsed URLS C. User Accounts D. All of the above
D. All of the above
What are potential analysis targets for PowerForensics? A. Windows Artifacts B. Windows Registry C. Application Cache D. All of the above
D. All of the above
Which of the following Linux component(s) has/have file representation? A. Running processes B. Configurations C. Settings D. All of the above
D. All of the above
Which of the following is a network connection analysis plug-in for Volatility? A. Netscan B. Connscan C. Sockets D. All of the above
D. All of the above
Which of the following is a step in the Network Forensic investigation flow? A. Identify traffic abnormalities B. Analyze the protocol data C. Filter by IOCs and gathered data D. All of the above
D. All of the above
Which of the following is a type of hacker? A. Cybercriminals pursuing financial gains B. Hacktivists pursuing ideology C. State-sponsored attackers focused on collecting information D. All of the above
D. All of the above
Which of the following is a valid CPU Architecture? A. ARM B. AMD C. MIPS D. All of the above
D. All of the above
Which of the following is a valid capture format? A. RAW B. dd C. ISO D. All of the above
D. All of the above
Which of the following is an investigation step when performing Memory Analysis? A. Rootkits B. Network C. DLL & Handles D. All of the above
D. All of the above
Which of the following is a tool that can be used to detect persistent malware? A. IOC B. DD C. UPX D. Autoruns
D. Autoruns
Which of the following is a popular suite of Linux tool binaries? A. Nirsoft B. Sysinternals C. Swap Digger D. Busybox
D. Busybox
Which of the following is a memory dumping tool? A. VMDK B. DD C. GREP D. FTK Imager
D. FTK Imager
What is a forensic artifact? A. A SIEM solution B. Dinosaur bones and ancient relics C. RAM D. Files to which data is written to and can be later recovered
D. Files to which data is written to and can be later recovered
What is another name for file headers that help us identify a file type? A. File Carving B. LSASS C. ADS D. Magic Numbers
D. Magic Numbers
Which of the following systems contains metadata for each stored file? A. FAT32 B. FAT C. exFAT D. NTFS
D. NTFS
John opened an executable file and noticed unusual activity, such as files that opened on their own. For further investigation, he wanted to check if any new network connections were established. Which of the following tools can check network connections? A. Net framework B. Telnet C. FakeNet-ng D. Netstat
D. Netstat
What part of the CIA Triad deals with making sure that someone cannot deny the validity of something? A. Confidentiality B. Availability C. Integrity D. Non-Repudiation
D. Non-Repudiation
Which is not an Intel debugging term? A. INT3/0xCC B. Patching C. Breakpoint D. None of the above
D. None of the above
Browser Caches contain browsed URLs only True False
False
DNS Cache is erased when the browser history is erased. True False
False
It is NOT possible to find URLs during Memory Analysis. True False
False
It is not possible to do a drive capture over the network. True False
False
MBR is the Boot Record Type for Windows 10. True False
False
Memory.dmp files can be read natively by Volatility. True False
False
Most data in Linux is binary. True False
False
Pi is a CPU architecture. True False
False
PowerForensics only works on Live Systems. True False
False
Processes in Linux have a parent-child relationship. True False
False
The FAT32 file system allows for Alternative Data Streams (ADS). True False
False
There is no way to recover browser activity. True False
False
Volatility is a drive cloning software. True False
False
WinPrefetchView is a tool to read browser artifacts. True False
False
Zeek-Cut doesn't have the ability to parse through and filter a pcap file. True False
False
"vol.py -f Imageinfo" is the command for identifying profiles within a memory artifact when using Volatility. True False
True
Command line data can be found in memory analysis. True False
True
Debugging malware is a slow and tedious process. True False
True
Diaster Recovery Plan (DRP) is defined as outlining response strategies for unplanned events. True False
True
Errors can occur in PowerForensics when parsing drives larger than 2 TB. True False
True
Hashing can be used to verify the integrity of a drive copy. True False
True
It is possible to obtain a memory dump after a system has been shut down. True False
True
Linux does journaling on its file system. True False
True
NTFS can do file disk compression. True False
True
On NTFS file systems, deleted files are recoverable. True False
True
PowerShell history is a volatile memory artifact. True False
True
Prefetch was designed to speed-up the loading of commonly used applications. True False
True
RACI stands for Responsible, Accountable, Consulted & Informed. True false
True
Sometimes only partial image captures are possible. True False
True
Sterilized Media is recommended for data acquisition. True False
True
Swap Digger is a bash script for analyzing swap space. True False
True
There are ways to evade debugging tools. True False
True
UPX is a tool used that can be used to obfuscate malware code. True False
True
Volatility is the most popular Memory Forensics toolkit. True False
True