Domain 4.0: Incident Response
C. The only solution from Latisha's list that might work is to capture network flows, remove normal traffic, and then analyze what is left. Peer-to-peer botnets use rapidly changing control nodes and don't rely on a consistent, identifiable control infrastructure, which means that traditional methods of detecting beaconing will typically fail. They also use quickly changing infection packages, making signature-based detection unlikely to work. Finally, building a network traffic baseline after an infection will typically make the infection part of the baseline, resulting in failure to detect malicious traffic.
A major new botnet infection that uses a peer-to-peer command-and-control process has been released. Latisha wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems? A. Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature. B. Use beaconing detection scripts focused on the command-and-control systems. C. Capture network flows for all hosts and use filters to remove normal traffic types. D. Immediately build a network traffic baseline and analyze it for anomalies.
A. Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his datacenter connect to domains that are not already whitelisted and should strongly consider whether servers should be allowed to initiate outbound connections at all.
A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? A. Flow logs with heuristic analysis B. SNMP monitoring with heuristic analysis C. Flow logs with signature-based detection D. SNMP monitoring with signature-based detection
C. The pseudocode tells you that Adam is trying to detect outbound packets that are part of short communications (fewer than 10 packets and fewer than 3,000 bytes) and that he believes the traffic may appear to be web traffic, be general TCP traffic, or not match known traffic types. This is consistent with the attributes of beaconing traffic. Adam also is making sure that general web traffic won't be captured by not matching on uripath and contentencoding.
Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect? destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true and application = http or https or tcp or unknown and content != uripath:* and content != contentencoding:* A. Users browsing malicious sites B. Adware C. Beaconing D. Outbound port scanning
C. Under most circumstances Ophcrack's rainbow table-based cracking will result in the fastest hash cracking. Hashcat's high-speed, GPU-driven cracking techniques are likely to come in second, with John the Ripper and Cain and Abel's traditional CPU-driven cracking methods remaining slower unless their mutation-based password cracks discover simple passwords very quickly.
Adam wants to quickly crack passwords from a Windows system. Which of the following tools will provide the fastest results in most circumstances? A. John the Ripper B. Cain and Abel C. Ophcrack D. Hashcat
D. Windows systems record new device connections in the security audit log if configured to do so. In addition, information is collected in both the setupapi log file and in the registry, including information on the device, its serial number, and often manufacturer and model details. The user's profile does not include device information.
After Janet's attempts to conceal her downloads of important corporate information were discovered, forensic investigators learned that she frequently copied work files to a USB drive. Which of the following is not a possible way to manually check her Windows workstation for a list of previously connected USB drives? A. Check the security audit logs. B. Check the setupapi log file. C. Search the registry. D. Check the user's profile.
D. MBR-, UEFI-, and BIOS-resident malware packages can all survive a drive wipe, but hiding files in slack space will not survive a zero wipe. Although these techniques are uncommon, they do exist and have been seen in the wild.
After zero-wiping a system's hard drive and rebuilding it with all security patches and trusted accounts, Azra is notified that the system is once again showing signs of compromise. Which of the following types of malware package cannot survive this type of eradication effort? A. An MBR-resident malware tool B. A UEFI-resident malware C. A BIOS-resident malware D. A slack space-resident malware package
A. Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details. Knowing how to write SQL queries or having access to a forensic tool that makes these databases easy to access can provide a rich trove of information about the web browsing history of a Chrome user.
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in? A. SQLite B. Plain text C. Base64 encoded text D. NoSQL
C. If a device is powered on, the SIM should not be removed until after logical collection has occurred. Once logical collection has occurred, the device should be turned off, and then the SIM card can be removed. If this were not an iPhone, Amanda might want to check to ensure that the device is not a dual or multi-SIM device.
Amanda has been tasked with acquiring data from an iPhone as part of a mobile forensics effort. At what point should she remove the SIM (or UICC) card from the device if she receives the device in a powered-on state? A. While powered on, but after logical collection B. While powered on, prior to logical collection C. While powered off, after logical collection D. While powered off, before logical collection
B. A temporary untrusted network segment can be created and a span port or tap can be used to see traffic leaving the infection workstation. Wireshark or tcpdump can be used to help build a fingerprint of the beaconing behavior.
An admin wants to use a system exhibiting beaconing behavior to identify other infected systems. How can a fingerprint be created for the beaconing without modifying the infected system? A. Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark or tcpdump B. Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic C. Review the ARP cache for outbound traffic D. Review the Windows firewall log for traffic logs
A. The Linux file command shows a file's format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won't provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won't be as useful as the file command for this purpose. Chapple, Mike; Seidl, David. CompTIA CySA+ Practice Tests (p. 429). Wiley. Kindle Edition.
An attacker is suspected to have modified a Linus executable using static libraries. Which of the following Linux commands is best suited to determine whether this has occurred? A. file B. stat C. strings D. grep
C. The command line for snmpwalk provides the clues you need. The -c flag specifies a community string to use, and the -v flag specifies the SNMP version. Since we know the community string, you can presume that the contact ID is root rather than the community string.
As part of a test of her network's monitoring infrastructure, Kelly uses snmpwalk to validate her router SNMP settings. She executes snmpwalk as shown here: snmpwalk -c public 10.1.10.1 -v1 iso.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6" iso.3.6.1.2.1.2.0 = OID: iso.3.6.1.4.1.30800 iso.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11 iso.3.6.1.2.1.1.4.0 = STRING: "root" iso.3.6.1.2.1.1.5.0 = STRING: "RouterOS" ... Which of the following pieces of information is not something she can discover from this query? A. SNMP v1 is enabled. B. The community string is public. C. The community string is root. D. The contact name is root.
C. NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn't be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.
As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? A. An incident B. An event C. An adverse event D. A security incident
A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric's case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? A. Logical B. Bit-by-bit C. Sparse D. None of the above
A. FISMA requires that U.S. federal agencies report incidents to US-CERT. CERT/CC is the coordination center of the Software Engineering Institute and researches software and Internet security flaws as well as works to improve software and Internet security. The National Cyber Security Authority is Israel's CERT, whereas the National Cyber Security Centre is the UK's CERT.
Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to? A. US-CERT B. The National Cyber Security Authority C. The National Cyber Security Centre D. CERT/CC
C. BitLocker keys can be retrieved by analyzing hibernation files or memory dumps or via a FireWire attack for mounted drives. The BitLocker key is not stored in the MBR. After Carlos finishes this investigation, he may want to persuade his organization to require BitLocker key escrow to make his job easier in the future.
Carlos needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following is not a method that he could use to acquire the BitLocker key? A. Analyzing the hibernation file B. Analyzing a memory dump file C. Retrieving the key from the MBR D. Performing a FireWire attack on mounted drives
B. Services are often started by xinetd (although newer versions of some distributions now use systemctl). Both /etc/passwd and /etc/shadow are associated with user accounts, and $HOME/.ssh/ contains SSH keys and other details for SSH-based logins.
Casey's search for a possible Linux backdoor account during a forensic investigation has led her to check through the filesystem for issues. Where should she look for back doors associated with services? A. /etc/passwd B. /etc/xinetd.conf C. /etc/shadow D. $HOME/.ssh/
B. While both AccessEnum and AccessChk check access permissions, AccessEnum provided a GUI that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent. AccessChk is a a command-line program that can check the rights a user or group has to resources.
Charles needs to review the permissions set on a directory structure on a Window system he is investigating to determine whether the system contains unauthorized privileges. Which Sysinternals tool will provide him with this functionality? A. DiskView B. AccessEnum C. du D. AccessChk
D. The page file, like many system files, is locked while Windows is running. Charles simply needs to shut down the system and copy the page file. Some Windows systems may be set to purge the page file when the system is shut down, so he may need to pull the plug to get an intact page file.
Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives an error indicating the file is open in another program . What access method is required to access the page file? A. Run Windows Explorer as an administrator and repeat the copy. B. Open the file using fmem. C. Run cmd.exe as an administrator and repeat the copy. D. Shut the system down, remove the drive, and copy it from another system.
B. Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers.
If a company compliant with PCI DSS experiences a breach of credit card data, what type of disclosure will they be required to provide? A. Notification to local law enforcement B. Notification to their acquiring bank C. Notification to federal law enforcement D. Notification to Visa and Mastercard
B. Maria has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Maria's ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.
Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed? A. Manual code reversing B. Interactive behavior analysis C. Static property analysis D. Dynamic code analysis
A. Resource Monitor provides average CPU utilization in addition to real-time CPU utilization. Since Kelly wants to see average usage over time, she is better off using Resource Monitor instead of Task Manager (which meets all of her other requirements). Performance Monitor is useful for collecting performance data, and iperf is a network performance measurement tool.
Kelly sees high CPU utilization in the Windows Task Manager, while reviewing a system's performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail? A. Resource Monitor B. Task Manager C. iperf D. Perfmon
B. Tamper-proof seals are used when it is necessary to prove that devices, systems, or spaces were not accessed. They often include holographic logos that help to ensure that tampering is both visible and cannot be easily hidden by replacing the sticker. A chain-of-custody log works only if personnel actively use it, and system logs will not show physical access. If Latisha has strong concerns, she may also want to ensure that the room or space is physically secured and monitored using a camera system.
Latisha wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them? A. A chain-of-custody log B. Tamper-proof seals C. System logs D. None of the above
C. The built-in macOS utility for measuring memory, CPU, disk, network, and power usage is Activity Monitor. Windows uses Resource Monitor, Sysradar was made up for this question, and System Monitor is used to collect information from Microsoft's SQL Server via RPC.
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these? A. Resource Monitor B. System Monitor C. Activity Monitor D. Sysradar
B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a txt file, and setfacl restores those permissions form the backup file.
Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system? A. chbkup B. getfacl C. aclman D. There is not a common Linux permission backup tool.
D. Lauren will get the most information by setting auditing to All but may receive a very large number of events if she audits commonly used folders. Auditing only success or failure would not show all actions, and full control is a permission, not an audit setting.
Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes? A. Success B. Fail C. Full control D. All
A. Failed SSH logins are common, either because of a user who has mistyped their password or because of scans and random connection attempts. Liam should review his SSH logs to see what may have occurred.
Liam notices the following entries in his Squert web console (a web console for Sguil IDS data). What should he do next to determine what occurred? A. Review SSH logs. B. Disable SSH and then investigate further. C. Disconnect the server from the Internet and then investigate. D. Immediately change his password.
A. Windows does not include a built-in secure erase tool in the GUI or at the command line. Using a third-party program like Eraser or a bootable tool like DBAN is a reasonable option, and encrypting the entire drive and then deleting the key will have the same effect.
Lukas wants to purge a drive to ensure that data cannot be extracted from it when it is sent off-site. Which of the following is not a valid option for purging hard drives on a Windows system? A. Use the built-in Windows sdelete command line. B. Use Eraser. C. Use DBAN. D. Encrypt the drive and then delete the key.
C. The File System audit subcategory includes the ability to monitor for both access to objects (event ID 4663) and permission changes (event ID 4670). Manish will probably be most interested in 4670 permission change events, as 4663 events include read, write, delete, and other occurrences and can be quite noisy!
Manish wants to monitor file permission changes on a Windows system he is responsible for. What audit category should he enable to allow this? A. File Permissions B. User Rights C. File System D. Audit Objects
B. Although it may seem like an obvious answer, Microsoft's MBSA is now outdated and does not fully support Windows 10. Marsha should select one of the other options listed to ensure that she gets a complete report.
Marsha needs to ensure that the workstations she is responsible for have received a critical Windows patch. Which of the following methods should she avoid using to validate patch status for Windows 10 systems? A. Check the Update History manually. B. Run the Microsoft Baseline Security Analyzer. C. Create and run a PowerShell script to search for the specific patch she needs to check. D. Use an endpoint configuration manager to validate patch status for each machine on her.
B. NIST describes brute-force methods used to degrade networks or services as a form of attrition in their threat classification scheme. It may be tempting to call this improper usage, and it is; however, once an employee has been terminated, it is no longer an insider attack, even if the employee retains access.
A disgruntled former employee uses the systems she was responsible for to slow down the network that Chris is responsible for protecting during a critical business event. What NIST threat classification best fits this type of attack? A. Impersonation B. Attrition C. Improper usage D. Web
C. A general best practice when dealing with sensitive systems is to encrypt copies of the drives before they are sent to third parties.
A forensic team needs to send an image of a compromised system in RAW format to the forensic examiner. What step should be taken prior to sending a drive containing the image? A. Encode in EO1 format and provide a has of the original file on the drive B. Encode in FTK format and provide a hash of the new file on the drive C. Encrypt the RAW file and transfer a hash and key under separate cover D. Decrypt the RAW file and transfer a hash under separate cover
A. The only true statement based on the image is that there are two remote users connected to the system via SSH. Port 9898 is registered with IANA as Monkeycom but is often used for Tripwire, leading to incorrect identification of the service. The local system is part of the example.com domain, and the command that was run will not show any UDP services because of the -at flag, meaning that you cannot verify if any UDP services are running.
Marta runs the command shown here while checking usage of her Linux system. Which of the following statements is true based on the information shown? A. There are two users logged in remotely via SSH. B. There is an active exploit in progress using the Monkeycom exploit. C. The local system is part of the demo.com domain. D. The system is not providing any UDP services.
B. In most cases, the first detection type should be able to detect rogue SSIDs. This will help reduce the risk of users connecting to untrusted SSIDs.
Mei is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first? A. Authorized MAC B. Authorized SSID C. Authorized channel D. Authorized vendor
B. NIST specifically recommends the hostname, MAC addresses, and IP addresses of the system. Capturing the full output of an ipconfig or ifconfig command may be useful, but forensic analysis may not permit interaction with a live machine. Additional detail like the domain (or domain membership) may or may not be available for any given machine, and NIC manufacturer and similar data is not necessary under most circumstances.
Mel is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST's recommendations? A. Subnet mask, DHCP server, hostname, MAC address B. IP addresses, MAC addresses, hostname C. Domain, hostname, MAC addresses, IP addresses D. NIC manufacturer, MAC addresses, IP addresses, DHCP configuration
D. NIST identifies customers, constituents, media, other incident response teams, Internet service providers, incident reporters, law enforcement agencies, and software and support vendors as outside parties that an IR team will communicate with.
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties? A. Customers, constituents, and media B. Internet service providers C. Law enforcement agencies D. Legal counsel
D. This data is obviously not personally identifiable information (PII), personal health information (PHI), or payment card information (PCI). Data about a merger would be considered corporate confidential information. Chapple, Mike; Seidl, David. CompTIA CySA+ Practice Tests (p. 440). Wiley. Kindle Edition.
The company that Charlene works for has been preparing for a merger, and during a quiet phase she discovers that the corporate secure file server that contained the details of the merger has been compromised. As she works on her incident summary report, how should she most accurately categorize the data that was breached? A. PII B. PHI C. PCI D. Corporate confidential data
B. If the MAC addresses of systems owned by the organization are known, then a MAC address report from the routers and switches will show devices that are connected which are not part of the inventory.
The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information? A. A discovery scan using a port scanner B. Router and switch-based MAC address reporting C. A physical survey D. Reviewing a central endpoint administration tool
C. If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process. Since she is focusing on quick restoration, the service should be available more quickly, and the service and system should not be damaged in any significant way by the restoration process. The time required to implement the strategy will typically be less if she does not conduct a full forensic investigation and instead focuses on service restoration.
The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criterion is most likely to be impacted the most by this action? A. Damage to the system or service B. Service availability C. Ability to preserve evidence D. Time and resources needed to implement the strategy
C. Without other requirements in place, many organizations select a one- to two-year retention period. This allows enough time to use existing information for investigations but does not retain so much data that it cannot be managed. Regardless of the time period selected, organizations should set and consistently follow a retention policy.
Ty needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select? A. 30 days B. 90 days C. 1 to 2 years D. 7 years
B. It is unlikely that skilled attackers will create a new home directory for an account they want to hide. Checking /etc/password and /etc/shadow for new accounts is a quick way to detect unexpected accounts, and checking both the sudoers and membership in wheel and other high-privilege groups can help Vlad detect unexpected accounts with increased privileges.
Vlad believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this? A. Review /etc/passwd and /etc/shadow for unexpected accounts. B. Check /home/ for new user directories. C. Review /etc/sudoers for unexpected accounts. D. Check /etc/groups for group membership issues.
A. The Windows registry stores a list of wireless networks the system has connected to in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is not a user-specific setting and is stored for all users in LocalMachine.
Vlad wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about? A. The registry B. The user profile directory C. The wireless adapter cache D. Wireless network lists are not stored after use.
D. Although the registry contains the account creation date and time as well as the last login date and time, it does not contain the time the user first logged in. Fortunately for Wang, the SAM also contains password expiration information, user account type, the username, full name, user's password hint, when the password must be reset and when it will fail, as well as whether a password is required. The SAM does not include the number of logins for a user, but some of this detail may be available in the system logs.
Wang is performing a forensic analysis of a Windows 10 system and wants to provide an overview of usage of the system using information contained in the Windows registry. Which of the following is not a data element she can pull from the SAM? A. Password expiration setting B. User account type C. Number of logins D. The first time the account logged in
A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR ensures that shared libraries are loaded at randomized locations, making it difficult for attackers to leverage known locations in memory.
What are the two most commonly used methods for preventing Linux buffer overflow attacks? A. The NX bit and ASLR B. StackAntismash C. Position-independent variables and ASLR D. DEP and the position-independent variables
B. Only a verifiable MD5 hash is needed to validate the files under most circumstances.
What info should be requested from a vendor in order to validate the application files downloaded? A. File size and file creation date B. MD5 hash C. Private key and cryptographic hash D. Public key and cryptographic hash
C. The U.S. National Archives General Records Schedule stipulates a three-year records retention period for incident-handling records.
What is the minimum retention period for incident data for U.S. federal government agencies? A. 90 days B. 1 year C. 3 years D. 7 years
C. If the Security log has not rotated, Angela should be able to find the account creation under event ID 4720. The System log does not contain user creation events, and user profile information doesn't exist until the user's first login. The registry is also not a reliable source of account creation date information.
What method is the best option to determine when a user account was created on a Windows 10 workstation if it is believed the account was created recently? A. Check the system log. B. Check the user profile creation date. C. Check the Security log. D. Query the registry for the user ID creation date.
D. NIST's Computer Security Incident Handling Guide notes that identifying an attacker can be "time-consuming and futile." In general, spending time identifying attackers is not a valuable use of incident response time for most organizations.
What strategy does NIST suggest for identifying attackers during an incident response process? A. Use geographic IP tracking to identify the attacker's location. B. Contact upstream ISPs for assistance in tracking down the attacker. C. Contact local law enforcement so that they can use law enforcement-specific tools. D. Identifying attackers is not an important part of the incident response process.
C. This is a simple representation of a buffer overflow attack. The attacker overflows the buffer, causing the return address to be pointed to malicious code that the attacker placed in memory allocated to the process.
What type of attack behavior is shown here? A. Kernel override B. RPC rewrite C. Buffer overflow D. Heap hack
D. Passphrases associated with keys are not kept in the .ssh folder. It does contain the remote hosts that have been connected to, the public keys associated with those hosts, and private keys generated for use connecting to other systems.
What useful information cannot be determined from the contents of the $HOME/.ssh folder when conducting forensic investigations of a Linux system? A. Remote hosts that have been connected to B. Private keys used to log in elsewhere C. Public keys used for logins to this system D. Passphrases associated with the keys
D. NIST SP 800-61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Abdul needs to figure out how he will monitor for a potential attack.
When Abdul arrived at work this morning, he found an email in his inbox that read, "Your systems are weak; we will own your network by the end of the week." How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs? A. An indicator B. A threat C. A risk D. A precursor
C. Slack space is leftover storage that exists because files do not take up the entire space allocated for them. Since the Unallocated partition does not have a filesystem on it, space there should not be considered slack space. Both System Reserved and C: are formatted with NTFS and will have slack space between files.
Where is slack space found in a Windows partition map containing System Reserved, C: drive, and Unallocated space? A. The System Reserved partition B. The System Reserved and Unallocated partitions C. The System Reserved and C: partitions D. The C: and unallocated partitions
D. ifconfig, netstat -i, and ip link show will all display a list of the network interfaces for a Linux system. The intf command is made up for this question.
Which of the following commands is not useful for determining the list of network interfaces on a Linux system? A. ifconfig B. netstat -i C. ip link show D. intf -q
D. There is no common standard for determining the age of a user account in Linux. Some organizations add a comment to user accounts using the -c flag for user creation to note when they are created. Using the ls command with the -ld flag will show the date of file creation, which may indicate when a user account was created if a home directory was created for the user at account creation, but this is not a requirement. The aureport command is useful if auditd is in use, but that is not consistent between Linux distros.
Which of the following commands is the standard way to determine how old a user account is on a Linux system if [username] is replaced by the user ID that you are checking? A. userstat [username] B. ls -ld /home/[username] C. aureport -auth | grep [username] D. None of the above
D. The signal protocol is designed for secure end-to-end messaging, and using a distinct messaging tool for incident response can be helpful to ensure that staff separates incident communication from day-to-day operations. Text messaging is not secure. Email with TLS enable is only encrypted between client and server and may be exposed between servers. A jabber server is less secure than the signal protocol.
Which of the following methods provides a secure messaging tool? A. Text messaging B. Jabber server with TLS enabled C. Email with TLS enabled D. Messaging app that uses the Signal protocol
C. The order of volatility for media from least to most volatile is often listed as backups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can be associated with the level of volatility of that storage mechanism. For example, routing tables will typically be stored in RAM, making them highly volatile. Data stored on a rewritable media is always considered more volatile than media stored on a write-only media.
Which of the following properly lists the order of volatility from least volatile to most volatile? A. Printouts, swap files, CPU cache, RAM B. Hard drives, USB media, DVDs, CD-RWs C. DVDs, hard drives, virtual memory, caches D. RAM, swap files, SSDs, printouts
D. A CSIRT leader must have the authority to direct the incident response process and should be able to act as a liaison with organizational management. The IT manager is an ideal candidate to perform these functions.
Which of the following roles should be included as the leader of an organization's CSIRT? A. Lead IT support staff technician B. Legal counsel C. Third-party IR team lead D. IT manager
C. Improper usage, which results from violations of an acceptable use policy by authorized users, ca be reduced by implementing a strong awareness program.
Which of the following threats can be most effectively dealt with via awareness? A. Attrition B. Impersonation C. Improper usage D. Web
A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions.
Which option accomplishes a drive purge? A. Cryptographic erase B. Reformat C. Overwrite D. Repartition
B. FTK Imager Light is shown configured to write a single large file that will fail on FAT32-formatted drives where the largest single file is 4 GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!
While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set (see image below). What issue is he most likely encountering? A. The files need to be compressed. B. The destination drive is formatted FAT32. C. The destination drive is formatted NTFS. D. The files are encrypted.
C. The traffic values captured by ifconfig reset at 4 GB of data, making it an unreliable means of assessing how much traffic a system has sent when dealing with large volumes of traffic. Bohai should use an alternate tool designed specifically to monitor traffic levels to assess the system's bandwidth usage.
While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent over 20GB. What problem has Bohai encountered? A. A rootkit is concealing traffic from the Linux kernel. B. Flow logs show traffic that does not reach the system. C. ifconfig resets traffic counters at 4 GB. D. ifconfig only samples outbound traffic and will not provide accurate information.
A. Modern Microsoft Office files are actually stored in a ZIP format. Alex will need to open them using a utility that can unzip them before he can manually review their contents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built-in support for Office documents.
While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2020.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred? A. Microsoft Word files are stored in ZIP format. B. Microsoft Word files are encrypted. C. Microsoft Word files can be opened only by Microsoft Word. D. The user has used antiforensic techniques to scramble the data.
C. When /var fills up, it is typically due to log files filling up all available space.
While investigating a system error, an admin runs the 'df' command on a Linux box. What is the likely problem and cause based on the following output: A. The var partition is full and needs to be wiped B. Slack space has filled up and needs to be purged C. The var partition is full, and logs should be checked D. The system is operating normally and will fix the problem after a reboot
D. Both auth.log and /etc/passwd may show evidence of the new user, but auth.log will provide details, while Chris would need to have knowledge of which users existed prior to this new user being added. Chris will get more useful detail by checking auth.log.
While reviewing his OSSEC SIEM logs, Chris notices entries for a new group and user added to the system. What should his next action be if he wants to quickly identify the new user's creation date and time? A. Check the user.log for a new user. B. Check syslog for a new user. C. Check /etc/passwd for a new user. D. Check auth.log for a new user.
B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Manish has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.
While working to restore systems to their original configuration after a long-term APT compromise, Manish has three options: A. He can restore from a backup and then update patches on the system. B. He can rebuild and patch the system using original installation media and application software using his organization's build documentation. C. He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems. Which option should Manish choose in this scenario? A. Option A B. Option B C. Option C D. None of the above. Manish should hire a third party to assess the systems before proceeding.
B. Chrome uses the number of seconds since midnight on January 1, 1601, for its timestamps. This is similar to the file time used by Microsoft in some locations, although the file time records time in 100 nanosecond slices instead of seconds. Since the problem did not specify an operating system and Chrome is broadly available for multiple platforms, you'll likely have recognized that this is unlikely to be a Microsoft timestamp. ISO 8601 is written in a format like this: 2017-04-02T04:01:34+00:00.
Chris is analyzing Chrome browsing information as part of a forensic investigation. After querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as "visit time" listed with a value of 131355792940000000. What conversion does he need to perform on this data to make it useful? A. The value is in seconds since January 1, 1970. B. The value is in seconds since January 1, 1601. C. The value is a Microsoft timestamp and can be converted using the time utility. D. The value is an ISO 8601-formatted date and can be converted with any ISO time utiliFy.
A. Chris needs both the /etc/passwd and the /etc/shadow files for John the Ripper to crack the passwords. Although only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? A. Both /etc/passwd and /etc/shadow B. /etc/shadow C. /etc/passwd D. Chris cannot recover passwords; only hashes are stored.
A. A second forensic examiner who acts as a witness, countersigning all documentation and helping document all actions, provides both strong documentation and another potential witness in court. Independent forensic action, no matter how well documented, will not be as reliable as having a witness.
Cullen wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions? A. A second examiner acting as a witness and countersigning all actions B. A complete forensic log book signed and sealed by a notary public C. A documented forensic process with required sign-off D. Taking pictures of all independent forensic actions.
B. Although it may seem obvious that the system should be isolated from the network when it is rebuilt, we have seen this exact scenario played out before. In one instance, the system was compromised twice before the system administrator learned their lesson!
Cynthia is reviewing her organization's incident response recovery process, which includes restoring from clean backups -> installing patches -> changing all passwords -> assessing systems security. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process? A. Change passwords before restoring from backup B. Isolate the system before restoring from backups C. Securely wipe the drive before restoration D. Vulnerability scan before patching
D. A sudden resumption of traffic headed "in" after sitting at zero likely indicates a network link or route has been repaired. A link failure would show a drop to zero, rather than an increase. The complete lack of inbound traffic prior to the resumption at 9:30 makes it unlikely this is a DDoS, and the internal systems are not sending significant traffic outbound.
Deepa is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the "outside" interface of her border router. What can Deepa presume has occurred? A. The network link has failed. B. A DDoS is in progress. C. An internal system is transferring a large volume of data. D. The network link has been restored.
B. Degaussing, which uses a powerful electromagnet to remove data from tape media, is a form of purging.
Degaussing is an example of what form of media sanitization? A. Clearing B. Purging C. Destruction D. It is not a form of media sanitization.
B. Eraser is a tool to securely wipe files and drives. If Eraser is not typically installed, antiforensic activities should be suspected.
During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation? A. A wiped C: drive B. Antiforensic activities C. All slack space cleared D. Temporary files and Internet history wiped
D. The chain of custody for evidence is maintained by logging and labeling evidence. This ensures that the evidence is properly controlled and accessed.
During a forensic investigation, Kwame records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Kwame is using as he labels evidence with details of who acquired and validated it? A. Direct evidence B. Circumstantial evidence C. Incident logging D. Chain of custody
B. If the system cannot be suspended, the best option is to copy the virtual disk files and use a live memory imaging tool. Snapshotting and booting will result in loss of live memory artifacts. Volatility can capture memory artifacts but is not designed to capture a full virtual machine.
During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.
B. Portable imaging tools like FTK Imager Lite can be run from removable media, allowing a live image to be captured. Kobe may still want to capture the system memory as well, but when systems are used for data gathering and egress, the contents of the disk will be important. Installing a tool or taking the system offline and mounting the drive are both undesirable in this type of scenario when the system must stay online and should not be modified.
During a major incident response effort, Kobe discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data? A. Reboot the server and mount the system drive using a USB-bootable forensic suite. B. Create an image using a tool like FTK Imager Lite. C. Capture the system memory using a tool like Volatility. D. Install and run an imaging tool on the live server.
D. The program netcat is typically run using nc. The -k flag for netcat makes it listen continuously rather than terminating after a client disconnects, and -l determines the port that it is listening on. In this case, the netcat server is listening on TCP port 6667, which is typically associated with IRC.
During an incident response effort, Alex discovers a running Unix process that shows that it was run using the command nc -k -l 6667. He does not recognize the service, believes it may be a malicious process, and needs assistance in determining what it is. Which of the following would best describe what he has encountered? A. An IRC server B. A network catalog server C. A user running a shell command D. A netcat server
B. SNMP, packet sniffing, and NetFlow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports.
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? A. SNMP B. Portmon C. Packet sniffing D. NetFlow
C. The process details are provided using the p flag, whereas the e flag will show extended information that includes the username and inode of the process. The -t flag shows only TCP connections, -s shows summary information, -a shows all sockets, and the -n flag shows numeric IPs, which is faster than reverse DNS queries.
Faruk wants to use netstat to get the process name, the PID, and the username associated with abnormally behaving processes that are running on a Linux system he is investigating. What netstat flags will provide him with this information? A. -na B. -pt C. -pe D. -sa
D. The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST.
Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence? A. Clear B. Purge C. Destroy D. None of the above
D. Windows audits account creation by default. Account creation events fall under event ID 4720.
Frank wants to log the creation of user accounts on a Windows workstation. What tool should he use to enable this logging? A. secpol.msc B. auditpol.msc C. regedit D. Frank does not need to make a change; this is a default setting.
B. When forensic evidence or information is produced for a civil case, it is called e-discovery. This type of discovery often involves massive amounts of data, including email, files, text messages, and any other electronic evidence that is relevant to the case.
In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called? A. Criminal forensics B. E-discovery C. Cyber production D. Civil tort
D. Outsourcing to a third-party incident response provider allows Mike to bring in experts when an incident occurs while avoiding the day-to-day expense of hiring a full-time staff member. This can make a lot of financial sense if incidents occur rarely, and even large organizations bring in third-party response providers when large incidents occur. A security operations center (SOC) would be appropriate if Mike needed day-to-day security monitoring and operations, and hiring an internal team does not match Mike's funding model limitations in this scenario.
In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents? A. Outsource to a third-party SOC B. Create an internal SOC C. Hire an internal incident response team D. Outsource to an incident response provider
C. Incremental mode is the most powerful mode, as it will try all possible character combinations as defined by the settings. Single crack mode tries to use login names with various modifications and is very useful for initial testing. Wordlist uses a dictionary file along with mangling rules to test for common passwords. External mode relies on functions that are custom-written to generate passwords. External mode is useful if an organization has custom password policies you want the tool to use.
In order to test for the broadest range of passwords, which mode should John the Ripper be run under? A. Single crack mode B. Wordlist mode C. Incremental mode D. External mode
D. Linux permissions are read numerically as "owner, group, other". The numbers stand for read:4, write:2, and execute:1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only; a 5 means read and execute, without write. 777 provides the broadest set of permissions, and 000 provides the lease.
In order, which set of Linux permissions are least permissive to most permissive? A. 777,444,111 B. 544, 444, 545 C. 711, 717, 117 D. 111, 734, 747
D. A forensic investigator's best option is to seize, image, and analyze the drive that Janet downloaded the files to. Since she only deleted the files, it is likely that the investigator will be able to recover most of the content of the files, allowing them to be identified. Network flows do not provide file information, SMB does not log file downloads, browser caches will typically not contain a list of all downloaded files, and incognito mode is specifically designed to not retain session and cache information.
Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded? A. Network flows B. SMB logs C. Browser cache D. Drive analysis
A. Filevault does allow trusted accounts to unlock the drive but not by changing the key.
Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following methods is not a possible means of unlocking the volume? A. Change the FileVault key using a trusted user account. B. Retrieve the key from memory while the volume is mounted. C. Acquire the recovery key. D. Extract the keys from iCloud.
A. Because it is not in response to an active incident, this is an example of proactive network segmentation.
John has designed his network which places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called? A. Proactive network segmentation B. Isolation C. Quarantine D. Removal
B. The more effort Frank puts into staying up-to-date with information by collecting threat information (5), monitoring for indicators (1), and staying up-to-date on security alerts (3), the stronger his organization's security will be. Understanding specific threat actors may become relevant if they specifically target organizations like Frank's, but as a midsize organization Frank's employer is less likely to be specifically targeted directly.
NIST defines five major types of threat information types in NIST SP 800-150, "Guide to Cyber Threat Information Sharing." 1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred 2. Tactics, techniques, and procedures that describe the behavior of an actor 3. Security alerts like advisories and bulletins 4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used 5. Tool configurations that support collection, exchange, analysis, and use of threat information Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats? A. 1, 2, and 5 B. 1, 3, and 5 C. 2, 4, and 5 D. 1, 2, and 4
B. The setupapi file ( C:\Windows\INF\setupapi.dev.log) records the first time a USB device is connected to a Windows system using the local system's time. Other device information is collected in the registry, and the system security log may contain connection information if USB device logging is specifically enabled.
Pranab wants to determine when a USB device was first plugged into a Windows workstation. What file should he check for this information? A. The registry B. The setupapi log file C. The system log D. The data is not kept on a Windows system.
C. If Raj has ensured that his destination media is large enough to contain the image, then a failure to copy is most likely because of bad media. Modification of the source data will result in a hash mismatch, encrypted drives can be imaged successfully despite being encrypted (the imager doesn't care!), and copying in RAW format is simply a bit-by-bit copy and will not cause a failure.
Raj discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure? A. Data was modified. B. The source disk is encrypted. C. The destination disk has bad sectors. D. The data cannot be copied in RAW format.
B. The ability to create a timeline of events that covers logs, file changes, and many other artifacts is known as a Super Timeline. SIFT includes this capability, allowing Rick to decide what event types and modules he wants to enable as part of his timeline-based view of events.
Rick is conducting a forensic investigation of a compromised system. He knows from user reports that issues started at approximately 3:30 p.m. on June 12. Using the SANS SIFT open source forensic tool, what process should he use to determine what occurred? A. Search the drive for all files that were changed between 3 and 4 p.m. B. Create a Super Timeline. C. Run antimalware and search for newly installed malware tools during that time frame. D. Search system logs for events between 3 and 4 p.m.
C. Of the tools listed, only OpenVAS is a full-system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and nmap is a port scanner.
Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities? A. Wapiti B. nmap C. OpenVAS D. ZAP
D. Since most APTs (including this one, as specified in the question) send traffic in an encrypted form, performing network forensics or traffic analysis will only provide information about potentially infected hosts. If Ryan wants to find the actual tools that may exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may use endpoint behavior analysis, network forensics, and network traffic analysis to help identify target systems.
Ryan believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections? A. Network traffic analysis B. Network forensics C. Endpoint behavior analysis D. Endpoint forensics
B. Modern versions of Windows include the built-in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows.
Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file? A. md5sum B. certutil C. sha1sum D. hashcheck
D. Saanvi simply needs to generate a known event ID that he can uniquely verify. Once he does, he can log into the SIEM and search for that event at the time he generated it to validate that his system is sending syslogs.
Saanvi needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly? A. Monitor traffic by running Wireshark or tcpdump on the system. B. Configure a unique event ID and send it. C. Monitor traffic by running Wireshark or tcpdump on the SIEM device. D. Generate a known event ID and monitor for it.
A. Pluggable authentication module (PAM)-aware applications have a file in the /etc/pam.d directory. These files list directives that define the module and what settings or controls are enabled. Sadiq should ensure that the multifactor authentication system he uses is configured as required in the PAM files for the services he is reviewing.
Sadiq wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it? A. /etc/pam.d B. /etc/passwd C. /etc/auth.d D. /etc/tfa
D. Playbooks describe detailed procedures that help to ensure that organizations and individuals take the right actions during the stress of an incident. Operations guides typically cover normal operational procedures, while an incident response policy describes the high-level organizational direction and authority for incident response. An incident response program might generate a policy and a playbook but would not include the detailed instructions itself.
Samantha has recently taken a new position as the first security analyst that her employer has ever had on staff. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Samantha plans to start up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise? A. An incident response policy B. An operations manual C. An incident response program D. A playbook
A. The space that Saria sees is the space between the end of the file and the space allocated per cluster or block. This space may contain remnants of previous files written to the cluster or block or may simply contain random data from when the disk was formatted or initialized.
Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered? A. Slack space B. Hidden content C. Sparse files D. Encryption overhead
C. The default macOS drive format is APFS and is the native macOS drive format. HFS+ was the default filing system for older versions of macOS.
Selah is preparing to collect a forensic image for a Macintosh computer running the Mojave operating system. What hard drive format is she most likely to encounter? A. FAT32 B. MacFAT C. APFS D. HFS+
B. Memory pressure is a macOS-specific term used to describe the availability of memory resources. Yellow segments on a memory pressure chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.
Singh is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image? A. Memory resources are available. B. Memory resources are available but being tasked by memory management processes. C. Memory resources are in danger, and applications will be terminated to free up memory. D. Memory resources are depleted, and the disk has begun to swap.
A. Suspending a virtual machine will result in the RAM and disk contents being stored to the directory where it resides. Simply copying that folder is then sufficient to provide Susan with all the information she needs. She should not turn the virtual machine off, and creating a forensic copy of the drive is not necessary (but she should still validate hashes for the copied files or directory).
Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need? A. Suspend the machine and copy the contents of the directory it resides in. B. Perform a live image of the machine. C. Suspend the machine and make a forensic copy of the drive it resides on. D. Turn the virtual machine off and make a forensic copy of it..
